The Debian https://www.debian.org/security/2014/dsa-2915 advisory fixes the following issue: "Jakub Wilk discovered that dpkg did not correctly parse C-style filename quoting, allowing for paths to be traversed when unpacking a source package - leading to the creation of files outside the directory of the source being unpacked." This looks like the fix: http://anonscm.debian.org/gitweb/?p=dpkg/dpkg.git;a=commitdiff;h=a82651188476841d190c58693f95827d61959b51 http://osdir.com/ml/general/2014-04/msg51025.html notes a potential issue with the fix on some systems.
Created dpkg tracking bugs for this issue: Affects: fedora-all [bug 1092211] Affects: epel-all [bug 1092212]
> http://osdir.com/ml/general/2014-04/msg51025.html notes a potential issue > with the fix on some systems. Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
(In reply to Murray McAllister from comment #0) > The Debian https://www.debian.org/security/2014/dsa-2915 advisory fixes the > following issue: > > "Jakub Wilk discovered that dpkg did not correctly parse C-style filename > quoting, allowing for paths to be traversed when unpacking a source package > - leading to the creation of files outside the directory of the source being > unpacked." > > This looks like the fix: > > http://anonscm.debian.org/gitweb/?p=dpkg/dpkg.git;a=commitdiff; > h=a82651188476841d190c58693f95827d61959b51 http://anonscm.debian.org/gitweb/?p=dpkg/dpkg.git;a=shortlog;h=refs/tags/1.16.13 1.16.13 has the fix but wasn't yet published in http://ftp.debian.org/debian/pool/main/d/dpkg/ and http://packages.qa.debian.org/d/dpkg.html I'll wait to be publish if no problem .
dpkg-1.16.14-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Murray McAllister from comment #2) > > http://osdir.com/ml/general/2014-04/msg51025.html notes a potential issue > > with the fix on some systems. > > Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306 This was assigned CVE-2014-3127: http://www.openwall.com/lists/oss-security/2014/05/02/1 I am not sure if Fedora is affected or not (I do not know which version of patch they are referring to)
(In reply to Murray McAllister from comment #5) > (In reply to Murray McAllister from comment #2) > > > http://osdir.com/ml/general/2014-04/msg51025.html notes a potential issue > > > with the fix on some systems. > > > > Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306 > > This was assigned CVE-2014-3127: > http://www.openwall.com/lists/oss-security/2014/05/02/1 > > I am not sure if Fedora is affected or not (I do not know which version of > patch they are referring to) another CVE that seems related to this is CVE-2014-3227. From http://seclists.org/oss-sec/2014/q2/388 "" CVE-2014-3127 (revised CVE description to be published at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3127 soon): dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471. CVE-2014-3227 (new CVE to be published at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3227 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3227 soon): dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with noncompliant patch programs, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this vulnerability exists because of reliance on unrealistic constraints on the behavior of an external program. ""
I don't have commit permissions on Fedora EPEL 6 Fedora EPEL 5
Sergio, request permissions i will approve.
I already request : https://admin.fedoraproject.org/pkgdb/package/dpkg/ Awaiting Review Awaiting Review Awaiting Review Awaiting Review
Done.
dpkg-1.16.15-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
dpkg-1.16.16-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
dpkg-1.16.16-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
I couldn't build dpkg for el5 because DEBUG util.py:388: Error: No Package found for po4a [1] [1] https://kojipkgs.fedoraproject.org//work/tasks/5213/9525213/root.log