Bug 1286011 (CVE-2015-0860)

Summary: CVE-2015-0860 dpkg: stack overflows and out of bounds read
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew, carnil, jrusnack, sergio, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dpkg 1.17.27, dpkg 1.16.18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-13 04:25:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1286012, 1286013    
Bug Blocks:    

Description Martin Prpič 2015-11-27 08:57:25 UTC 
Debian fixed the following flaw in dpkg:

Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb component of dpkg, the Debian package management system. This flaw could potentially lead to arbitrary code execution if a user or an automated system were tricked into processing a specially crafted Debian binary package (.deb) in the old style Debian binary package format.

Additional information:

https://lists.debian.org/debian-security-announce/2015/msg00312.html
http://seclists.org/oss-sec/2015/q4/389
Comment 1 Martin Prpič 2015-11-27 08:57:56 UTC 
Created dpkg tracking bugs for this issue:

Affects: fedora-all [bug 1286012]
Affects: epel-all [bug 1286013]
Comment 2 Sergio Basto 2015-11-27 16:41:18 UTC 
where is the patch ?  what version are affected ? or in what version this is fixed ? 

Thanks
Comment 3 Martin Prpič 2015-11-27 17:11:16 UTC 
(In reply to Sergio Monteiro Basto from comment #2)
> where is the patch ?  what version are affected ? or in what version this is
> fixed ? 
> 
> Thanks

These look like the correct patches:

https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=wheezy&id=f1aac7d933819569bf6f347c3c0d5a64a90bbce0
https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=wheezy&id=80913664ab1ab876128ede7e0967346cf7c48dce
https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=wheezy&id=efc9e395b91ecce0b4eb99fde975be6a0c8b1cb1

Though, strictly speaking, only the first patch is related to CVE-2015-0860. The other two are mentioned in the oss-sec mail I linked to but don't have CVEs; I'm assuming they don't have any security implications and are classed as regular bugs.