Bug 13279 - dpkg new security issue CVE-2014-0471
Summary: dpkg new security issue CVE-2014-0471
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/596580/
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32...
Keywords: validated_update
Depends on:
Reported: 2014-04-28 19:15 CEST by David Walser
Modified: 2014-07-09 00:48 CEST (History)
5 users (show)

See Also:
Source RPM: dpkg-1.17.6-2.mga5.src.rpm
Status comment:


Description David Walser 2014-04-28 19:15:25 CEST
Debian and Ubuntu have issued advisories today (April 28):

The issue is fixed upstream in 1.17.8.

Mageia 3 and Mageia 4 are also affected.


Steps to Reproduce:
David Walser 2014-04-28 19:15:32 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Bruno Cornec 2014-04-29 01:19:58 CEST
I have pushed 1.17.8 into cauldron
David Walser 2014-04-29 02:44:34 CEST

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 David Walser 2014-05-01 15:55:57 CEST
Note that a regression in 1.17.8 was fixed in 1.17.9:

Also note that we are not affected by the regression, as it only affects you if your version of the patch package is older than 1.7 (we have 1.7.1 in Mageia 3).

BTW, we still need an update for this CVE for Mageia 3 and Mageia 4.
Comment 3 David Walser 2014-05-21 17:43:35 CEST
Fedora has issued an advisory for this on May 12:

They updated to 1.16.14, which also fixes this.

We could update Mageia 4 to the latest version, and Mageia 3 to 1.16.14.
Comment 4 David Walser 2014-05-30 16:03:17 CEST
More dpkg CVEs:
Comment 5 David Walser 2014-06-09 20:18:08 CEST
Debian has issued an advisory for CVE-2014-3864 and CVE-2014-3865 on June 8:

from http://lwn.net/Vulnerabilities/601760/
Comment 6 Bruno Cornec 2014-07-05 00:01:26 CEST
dpkg updated to 1.17.10 in cauldron and mga4 and to 1.16.15 in mga3.
Advisory prepared.

The packages to test are:



Assignee: bruno => security

Comment 7 David Walser 2014-07-05 21:22:21 CEST
Thanks Bruno.

BTW, Bruno, you shouldn't have used the subrel on these packages.  We can let it go this time, but you'll need to rebuild the Cauldron package to have a newer release tag than the Mageia 4 update.


Updated dpkg packages fix security vulnerabilities:

Jakub Wilk discovered that dpkg did not correctly parse C-style filename
quoting, allowing for paths to be traversed when unpacking a source package,
leading to the creation of files outside the directory of the source being
unpacked (CVE-2014-0471).

Multiple vulnerabilities were discovered in dpkg that allow file modification
through path traversal when unpacking source packages with especially-crafted
patch files (CVE-2014-3864, CVE-2014-3865).


Updated packages in core/updates_testing:

from SRPMS:

CC: (none) => bruno
Assignee: security => qa-bugs

Comment 8 Bruno Cornec 2014-07-06 01:43:39 CEST
I changed mkrel to 2 in the cauldron version to avoid the issue you rightly mentioned.
Comment 9 Marc Lattemann 2014-07-06 12:02:23 CEST
as far as understand the linked reports correctly, there might be an poc, but not public, yet?

So I installed dpkg packages:
[root@localhost marc]# rpm -qa | grep -i dpkg

and unpack a deb-file without any issue. Trying to use some other dpkg function as well and everything seems to working.

So adding MGA4-32-OK tag. Please let me know in case you are aware of more specific tests...

Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK

Comment 10 Marc Lattemann 2014-07-06 12:47:09 CEST
tested for MGA4 64bit as well.

Just for clarification (same tests I did for 32bit above):

I've extracted a deb-file with
[root@localhost Downloads]# dpkg -x bash_4.2+dfsg-0.1_i386.deb ./tmp

And I did also a test extracted source file (since vulnerability was discovered by extracting a source file?) the with:

[root@localhost Downloads]# dpkg-source -x bash_4.2+dfsg-0.1.dsc 
gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': No such file or directory
gpgv: Signature made Sun 30 Dec 2012 02:40:46 AM CET using RSA key ID FDFE09F2
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./bash_4.2+dfsg-0.1.dsc
dpkg-source: info: extracting bash in bash-4.2+dfsg
dpkg-source: info: unpacking bash_4.2+dfsg.orig.tar.gz
dpkg-source: info: applying bash_4.2+dfsg-0.1.diff.gz

CC: (none) => marc.lattemann
Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA4-32-OK MGA4-64-OK

Marc Lattemann 2014-07-06 12:47:21 CEST

CC: marc.lattemann => (none)

Comment 11 Marc Lattemann 2014-07-06 13:26:19 CEST
same tests performed for MGA3 32 and 64 bit. Everything is fine.

If tests are sufficient, then please upload the advisory and validating the update.


Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 12 Rémi Verschelde 2014-07-06 23:03:52 CEST
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory

Comment 13 David Walser 2014-07-06 23:57:27 CEST
Yes, this can be validated.  Thanks Marc.

CC: (none) => marc.lattemann

Comment 14 Rémi Verschelde 2014-07-07 07:10:00 CEST
Validated, please push dpkg to Mageia 3 and 4 core/updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Pascal Terjan 2014-07-09 00:48:52 CEST

CC: (none) => pterjan
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.