Bug 15672 - dpkg new security issue CVE-2015-0840
Summary: dpkg new security issue CVE-2015-0840
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/639968/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Reported: 2015-04-10 14:26 CEST by David Walser
Modified: 2015-05-13 20:11 CEST (History)
3 users (show)

See Also:
Source RPM: dpkg-1.17.10-1.1.mga4.src.rpm
Status comment:


Description David Walser 2015-04-10 14:26:11 CEST
Debian and Ubuntu have issued advisories on April 9:

The issue is fixed upstream in 1.7.25, by this commit:

The patch Ubuntu used in Ubuntu 14.10 appears at a glance to be the same:

Mageia 4 and Mageia 5 are affected.


Steps to Reproduce:
David Walser 2015-04-10 14:26:17 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

David Walser 2015-04-10 16:26:20 CEST

URL: (none) => http://lwn.net/Vulnerabilities/639968/

Comment 1 David Walser 2015-04-30 18:09:48 CEST

In case you missed it, Anne said you may update this now:
David Walser 2015-05-04 23:51:19 CEST

Blocks: (none) => 14674

Comment 2 Bruno Cornec 2015-05-05 03:04:27 CEST
Updates pushed to both mga5/cauldron and mga4 in updates_testing


Comment 3 David Walser 2015-05-05 14:27:51 CEST
Thanks Bruno!

The Mageia 4 update will need to be removed and rebuilt since you forgot to remove the subrel.  I asked in #mageia-sysadm but haven't gotten a response yet.
Comment 4 Bruno Cornec 2015-05-05 23:29:18 CEST
Oops sorry for that. Is that critical in fact as the next one would either be a subrel 2 or another version again ?
Comment 5 David Walser 2015-05-05 23:40:55 CEST
The issue can be worked around by setting the release tag in Cauldron to 2, which you can still do as it hasn't been pushed yet.
Comment 6 Bruno Cornec 2015-05-06 00:36:11 CEST
Done ! Thanks David for the hint.
Comment 7 David Walser 2015-05-06 14:27:50 CEST
Patched package uploaded for Mageia 4.

Updated package uploaded for Cauldron.  Thanks again Bruno!

Testing procedure:


Updated dpkg packages fix security vulnerability:

The dpkg-source command in Debian dpkg before 1.17.25 allows remote attackers
to bypass signature verification via a crafted Debian source control file
(.dsc) (CVE-2015-0840).


Updated packages in core/updates_testing:

from dpkg-1.17.25-1.1.mga4.src.rpm

CC: (none) => bruno
Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: bruno => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => has_procedure

Comment 8 Shlomi Fish 2015-05-06 16:34:12 CEST
I'm now going to test this update. Stay tuned.

CC: (none) => shlomif

Comment 9 Shlomi Fish 2015-05-06 16:40:48 CEST
(In reply to Shlomi Fish from comment #8)
> I'm now going to test this update. Stay tuned.

The test procedure ran fine on an x86-64 Mageia 4 VBox VM. Adding MGA4-64-OK . Now will do MGA4-32-OK.

Whiteboard: has_procedure => MGA4-64-OK has_procedure

Comment 10 Shlomi Fish 2015-05-06 16:47:49 CEST
(In reply to Shlomi Fish from comment #9)
> (In reply to Shlomi Fish from comment #8)
> > I'm now going to test this update. Stay tuned.
> The test procedure ran fine on an x86-64 Mageia 4 VBox VM. Adding MGA4-64-OK
> . Now will do MGA4-32-OK.

MGA4-32-OK is fine on VBox.

Whiteboard: MGA4-64-OK has_procedure => MGA4-64-OK has_procedure MGA4-32-OK

Comment 11 claire robinson 2015-05-06 18:25:57 CEST
Validating. Advisory uploaded.

Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2015-05-06 18:44:43 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Comment 13 David Walser 2015-05-13 20:11:10 CEST
This also fixed CVE-2014-8625:

Note You need to log in before you can comment on or make changes to this bug.