Debian and Ubuntu have issued advisories on April 9: https://www.debian.org/security/2015/dsa-3217 http://www.ubuntu.com/usn/usn-2566-1/ The issue is fixed upstream in 1.7.25, by this commit: http://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=1.17.x&id=b4ccfe4982161b8beb44f1d0c98f791c4f238edd The patch Ubuntu used in Ubuntu 14.10 appears at a glance to be the same: http://launchpadlibrarian.net/202647023/dpkg_1.17.13ubuntu1_1.17.13ubuntu1.1.diff.gz Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
URL: (none) => http://lwn.net/Vulnerabilities/639968/
Ping? In case you missed it, Anne said you may update this now: https://ml.mageia.org/l/arc/dev/2015-04/msg00383.html
Blocks: (none) => 14674
Updates pushed to both mga5/cauldron and mga4 in updates_testing
Status: NEW => ASSIGNED
Thanks Bruno! The Mageia 4 update will need to be removed and rebuilt since you forgot to remove the subrel. I asked in #mageia-sysadm but haven't gotten a response yet.
Oops sorry for that. Is that critical in fact as the next one would either be a subrel 2 or another version again ?
The issue can be worked around by setting the release tag in Cauldron to 2, which you can still do as it hasn't been pushed yet.
Done ! Thanks David for the hint.
Patched package uploaded for Mageia 4. Updated package uploaded for Cauldron. Thanks again Bruno! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13279#c10 Advisory: ======================== Updated dpkg packages fix security vulnerability: The dpkg-source command in Debian dpkg before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc) (CVE-2015-0840). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0840 https://www.debian.org/security/2015/dsa-3217 ======================== Updated packages in core/updates_testing: ======================== dpkg-1.17.25-1.1.mga4 perl-Dpkg-1.17.25-1.1.mga4 from dpkg-1.17.25-1.1.mga4.src.rpm
CC: (none) => brunoVersion: Cauldron => 4Blocks: 14674 => (none)Assignee: bruno => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure
I'm now going to test this update. Stay tuned.
CC: (none) => shlomif
(In reply to Shlomi Fish from comment #8) > I'm now going to test this update. Stay tuned. The test procedure ran fine on an x86-64 Mageia 4 VBox VM. Adding MGA4-64-OK . Now will do MGA4-32-OK.
Whiteboard: has_procedure => MGA4-64-OK has_procedure
(In reply to Shlomi Fish from comment #9) > (In reply to Shlomi Fish from comment #8) > > I'm now going to test this update. Stay tuned. > > The test procedure ran fine on an x86-64 Mageia 4 VBox VM. Adding MGA4-64-OK > . Now will do MGA4-32-OK. MGA4-32-OK is fine on VBox.
Whiteboard: MGA4-64-OK has_procedure => MGA4-64-OK has_procedure MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0197.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This also fixed CVE-2014-8625: http://lwn.net/Vulnerabilities/644272/