Bug 15672

Summary: dpkg new security issue CVE-2015-0840
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bruno, shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/639968/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: dpkg-1.17.10-1.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-04-10 14:26:11 CEST 
Debian and Ubuntu have issued advisories on April 9:
https://www.debian.org/security/2015/dsa-3217
http://www.ubuntu.com/usn/usn-2566-1/

The issue is fixed upstream in 1.7.25, by this commit:
http://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=1.17.x&id=b4ccfe4982161b8beb44f1d0c98f791c4f238edd

The patch Ubuntu used in Ubuntu 14.10 appears at a glance to be the same:
http://launchpadlibrarian.net/202647023/dpkg_1.17.13ubuntu1_1.17.13ubuntu1.1.diff.gz

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-10 14:26:17 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

David Walser 2015-04-10 16:26:20 CEST

URL: (none) => http://lwn.net/Vulnerabilities/639968/

Comment 1 David Walser 2015-04-30 18:09:48 CEST 
Ping?

In case you missed it, Anne said you may update this now:
https://ml.mageia.org/l/arc/dev/2015-04/msg00383.html
David Walser 2015-05-04 23:51:19 CEST

Blocks: (none) => 14674

Comment 2 Bruno Cornec 2015-05-05 03:04:27 CEST 
Updates pushed to both mga5/cauldron and mga4 in updates_testing

Status: NEW => ASSIGNED

Comment 3 David Walser 2015-05-05 14:27:51 CEST 
Thanks Bruno!

The Mageia 4 update will need to be removed and rebuilt since you forgot to remove the subrel.  I asked in #mageia-sysadm but haven't gotten a response yet.
Comment 4 Bruno Cornec 2015-05-05 23:29:18 CEST 
Oops sorry for that. Is that critical in fact as the next one would either be a subrel 2 or another version again ?
Comment 5 David Walser 2015-05-05 23:40:55 CEST 
The issue can be worked around by setting the release tag in Cauldron to 2, which you can still do as it hasn't been pushed yet.
Comment 6 Bruno Cornec 2015-05-06 00:36:11 CEST 
Done ! Thanks David for the hint.
Comment 7 David Walser 2015-05-06 14:27:50 CEST 
Patched package uploaded for Mageia 4.

Updated package uploaded for Cauldron.  Thanks again Bruno!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13279#c10

Advisory:
========================

Updated dpkg packages fix security vulnerability:

The dpkg-source command in Debian dpkg before 1.17.25 allows remote attackers
to bypass signature verification via a crafted Debian source control file
(.dsc) (CVE-2015-0840).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0840
https://www.debian.org/security/2015/dsa-3217
========================

Updated packages in core/updates_testing:
========================
dpkg-1.17.25-1.1.mga4
perl-Dpkg-1.17.25-1.1.mga4

from dpkg-1.17.25-1.1.mga4.src.rpm

CC: (none) => bruno
Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: bruno => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => has_procedure

Comment 8 Shlomi Fish 2015-05-06 16:34:12 CEST 
I'm now going to test this update. Stay tuned.

CC: (none) => shlomif

Comment 9 Shlomi Fish 2015-05-06 16:40:48 CEST 
(In reply to Shlomi Fish from comment #8)
> I'm now going to test this update. Stay tuned.

The test procedure ran fine on an x86-64 Mageia 4 VBox VM. Adding MGA4-64-OK . Now will do MGA4-32-OK.

Whiteboard: has_procedure => MGA4-64-OK has_procedure

Comment 10 Shlomi Fish 2015-05-06 16:47:49 CEST 
(In reply to Shlomi Fish from comment #9)
> (In reply to Shlomi Fish from comment #8)
> > I'm now going to test this update. Stay tuned.
> 
> The test procedure ran fine on an x86-64 Mageia 4 VBox VM. Adding MGA4-64-OK
> . Now will do MGA4-32-OK.

MGA4-32-OK is fine on VBox.

Whiteboard: MGA4-64-OK has_procedure => MGA4-64-OK has_procedure MGA4-32-OK

Comment 11 claire robinson 2015-05-06 18:25:57 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2015-05-06 18:44:43 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0197.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 13 David Walser 2015-05-13 20:11:10 CEST 
This also fixed CVE-2014-8625:
http://lwn.net/Vulnerabilities/644272/