Bug 1286011 (CVE-2015-0860)

Summary: CVE-2015-0860 dpkg: stack overflows and out of bounds read
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew, carnil, jrusnack, sergio, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: dpkg 1.17.27, dpkg 1.16.18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-13 04:25:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1286012, 1286013    
Bug Blocks:    

Description Martin Prpič 2015-11-27 08:57:25 UTC
Debian fixed the following flaw in dpkg:

Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb component of dpkg, the Debian package management system. This flaw could potentially lead to arbitrary code execution if a user or an automated system were tricked into processing a specially crafted Debian binary package (.deb) in the old style Debian binary package format.

Additional information:


Comment 1 Martin Prpič 2015-11-27 08:57:56 UTC
Created dpkg tracking bugs for this issue:

Affects: fedora-all [bug 1286012]
Affects: epel-all [bug 1286013]

Comment 2 Sergio Basto 2015-11-27 16:41:18 UTC
where is the patch ?  what version are affected ? or in what version this is fixed ? 


Comment 3 Martin Prpič 2015-11-27 17:11:16 UTC
(In reply to Sergio Monteiro Basto from comment #2)
> where is the patch ?  what version are affected ? or in what version this is
> fixed ? 
> Thanks

These look like the correct patches:


Though, strictly speaking, only the first patch is related to CVE-2015-0860. The other two are mentioned in the oss-sec mail I linked to but don't have CVEs; I'm assuming they don't have any security implications and are classed as regular bugs.