Bug 1092210 (CVE-2014-0471)

Summary: CVE-2014-0471 dpkg: path traversal when unpacking a source package
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andrew, sergio, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20140428,reported=20140428,source=mageia,cvss2=1.9/AV:L/AC:M/Au:N/C:N/I:P/A:N,fedora-all/dpkg=affected,epel-all/dpkg=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-14 07:30:27 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1092211, 1092212    
Bug Blocks:    

Description Murray McAllister 2014-04-28 22:36:45 EDT
The Debian https://www.debian.org/security/2014/dsa-2915 advisory fixes the following issue:

"Jakub Wilk discovered that dpkg did not correctly parse C-style filename quoting, allowing for paths to be traversed when unpacking a source package - leading to the creation of files outside the directory of the source being unpacked."

This looks like the fix:

http://anonscm.debian.org/gitweb/?p=dpkg/dpkg.git;a=commitdiff;h=a82651188476841d190c58693f95827d61959b51

http://osdir.com/ml/general/2014-04/msg51025.html notes a potential issue with the fix on some systems.
Comment 1 Murray McAllister 2014-04-28 22:38:57 EDT
Created dpkg tracking bugs for this issue:

Affects: fedora-all [bug 1092211]
Affects: epel-all [bug 1092212]
Comment 2 Murray McAllister 2014-04-28 23:48:22 EDT
> http://osdir.com/ml/general/2014-04/msg51025.html notes a potential issue
> with the fix on some systems.

Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
Comment 3 Sergio Monteiro Basto 2014-04-29 20:45:09 EDT
(In reply to Murray McAllister from comment #0)
> The Debian https://www.debian.org/security/2014/dsa-2915 advisory fixes the
> following issue:
> 
> "Jakub Wilk discovered that dpkg did not correctly parse C-style filename
> quoting, allowing for paths to be traversed when unpacking a source package
> - leading to the creation of files outside the directory of the source being
> unpacked."
> 
> This looks like the fix:
> 
> http://anonscm.debian.org/gitweb/?p=dpkg/dpkg.git;a=commitdiff;
> h=a82651188476841d190c58693f95827d61959b51


http://anonscm.debian.org/gitweb/?p=dpkg/dpkg.git;a=shortlog;h=refs/tags/1.16.13

1.16.13 has the fix but wasn't yet published in 
http://ftp.debian.org/debian/pool/main/d/dpkg/
and
http://packages.qa.debian.org/d/dpkg.html

I'll wait to be publish if no problem .
Comment 4 Fedora Update System 2014-05-20 22:27:46 EDT
dpkg-1.16.14-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Murray McAllister 2014-05-30 00:29:04 EDT
(In reply to Murray McAllister from comment #2)
> > http://osdir.com/ml/general/2014-04/msg51025.html notes a potential issue
> > with the fix on some systems.
> 
> Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306

This was assigned CVE-2014-3127: http://www.openwall.com/lists/oss-security/2014/05/02/1

I am not sure if Fedora is affected or not (I do not know which version of patch they are referring to)
Comment 6 Murray McAllister 2014-05-30 00:42:56 EDT
(In reply to Murray McAllister from comment #5)
> (In reply to Murray McAllister from comment #2)
> > > http://osdir.com/ml/general/2014-04/msg51025.html notes a potential issue
> > > with the fix on some systems.
> > 
> > Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
> 
> This was assigned CVE-2014-3127:
> http://www.openwall.com/lists/oss-security/2014/05/02/1
> 
> I am not sure if Fedora is affected or not (I do not know which version of
> patch they are referring to)

another CVE that seems related to this is CVE-2014-3227. From http://seclists.org/oss-sec/2014/q2/388

""
CVE-2014-3127 (revised CVE description to be published at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3127 soon):

dpkg 1.15.9 on Debian squeeze introduces support for the "C-style
encoded filenames" feature without recognizing that the squeeze patch
program lacks this feature, which triggers an interaction error that
allows remote attackers to conduct directory traversal attacks and
modify files outside of the intended directories via a crafted source
package. NOTE: this can be considered a release engineering problem in
the effort to fix CVE-2014-0471.



CVE-2014-3227 (new CVE to be published at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3227 and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3227 soon):

dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect
the patch program to be compliant with a need for the "C-style encoded
filenames" feature, but is supported in environments with noncompliant
patch programs, which triggers an interaction error that allows remote
attackers to conduct directory traversal attacks and modify files
outside of the intended directories via a crafted source package.
NOTE: this vulnerability exists because of reliance on unrealistic
constraints on the behavior of an external program.
""
Comment 7 Sergio Monteiro Basto 2014-05-30 07:03:48 EDT
I don't have commit permissions on Fedora EPEL 6 	Fedora EPEL 5
Comment 8 Andrew Colin Kissa 2014-05-30 07:13:23 EDT
Sergio, request permissions i will approve.
Comment 9 Sergio Monteiro Basto 2014-05-30 07:17:50 EDT
I already request : 

https://admin.fedoraproject.org/pkgdb/package/dpkg/


Awaiting Review Awaiting Review 	Awaiting Review Awaiting Review
Comment 10 Andrew Colin Kissa 2014-05-30 07:21:57 EDT
Done.
Comment 11 Fedora Update System 2014-08-07 11:34:07 EDT
dpkg-1.16.15-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2015-05-14 02:29:24 EDT
dpkg-1.16.16-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2015-05-14 02:30:14 EDT
dpkg-1.16.16-5.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Sergio Monteiro Basto 2015-05-14 07:30:27 EDT
I couldn't build dpkg for el5 because 

DEBUG util.py:388:  Error: No Package found for po4a [1]


[1] https://kojipkgs.fedoraproject.org//work/tasks/5213/9525213/root.log