Debian fixed the following flaw in dpkg: Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb component of dpkg, the Debian package management system. This flaw could potentially lead to arbitrary code execution if a user or an automated system were tricked into processing a specially crafted Debian binary package (.deb) in the old style Debian binary package format. Additional information: https://lists.debian.org/debian-security-announce/2015/msg00312.html http://seclists.org/oss-sec/2015/q4/389
Created dpkg tracking bugs for this issue: Affects: fedora-all [bug 1286012] Affects: epel-all [bug 1286013]
where is the patch ? what version are affected ? or in what version this is fixed ? Thanks
(In reply to Sergio Monteiro Basto from comment #2) > where is the patch ? what version are affected ? or in what version this is > fixed ? > > Thanks These look like the correct patches: https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=wheezy&id=f1aac7d933819569bf6f347c3c0d5a64a90bbce0 https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=wheezy&id=80913664ab1ab876128ede7e0967346cf7c48dce https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=wheezy&id=efc9e395b91ecce0b4eb99fde975be6a0c8b1cb1 Though, strictly speaking, only the first patch is related to CVE-2015-0860. The other two are mentioned in the oss-sec mail I linked to but don't have CVEs; I'm assuming they don't have any security implications and are classed as regular bugs.