Debian has issued an advisory on November 26: https://www.debian.org/security/2015/dsa-3407 More details and links to upstream fixes are in this oss-security post: http://openwall.com/lists/oss-security/2015/11/26/3 Mageia 5 is probably also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
I have uploaded dpkg-1.17.26-1 for both cauldron and mga5
Status: NEW => ASSIGNED
Is this ready for QA? Here's an advisory you can use. Advisory: ======================== Updated dpkg packages fix security vulnerability: Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb component of dpkg. This flaw could potentially lead to arbitrary code execution if a user or an automated system were tricked into processing a specially crafted Debian binary package (.deb) in the old style Debian binary package format (CVE-2015-0860). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0860 https://www.debian.org/security/2015/dsa-3407 ======================== Updated packages in core/updates_testing: ======================== dpkg-1.17.26-1.mga5 perl-Dpkg-1.17.26-1.mga5 from dpkg-1.17.26-1.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Yes ready for QA Advisory pushed, thanks for providing it !
Assignee: bruno => qa-bugs
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13279#c10
Whiteboard: (none) => has_procedure advisory
In VirtualBox, M5, KDE, 32-bit Download bash_4.1-3_i386.deb from http.us.debian.org http.us.debian.org/debian/pool/main/b/bash/bash_4.1-3_i386.deb http.us.debian.org/debian/pool/main/b/bash/bash_4.1-3.dsc to /home/wilcal/dpkg_test Package(s) under test: dpkg default install of dpkg [root@localhost dpkg_test]# urpmi dpkg Package dpkg-1.17.25-2.mga5.i586 is already installed [wilcal@localhost dpkg_test]$ dpkg -x bash_4.1-3_i386.deb /home/wilcal/dpkg_test extracts packages. [wilcal@localhost dpkg_test]$ dpkg-source -x bash_4.1-3.dsc gpgv: keyblock resource `/home/wilcal/.gnupg/trustedkeys.gpg': No such file or directory gpgv: Signature made Sat 10 Apr 2010 04:18:36 AM PDT using DSA key ID 0F932C9C gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./bash_4.1-3.dsc dpkg-source: error: cannot fstat file ./bash_4.1.orig.tar.gz: No such file or directory No key. install dpkg from updates_testing [root@localhost wilcal]# urpmi dpkg Package dpkg-1.17.26-1.mga5.i586 is already installed [wilcal@localhost dpkg_test]$ dpkg -x bash_4.1-3_i386.deb /home/wilcal/dpkg_test extracts packages. [wilcal@localhost dpkg_test]$ dpkg-source -x bash_4.1-3.dsc gpgv: keyblock resource `/home/wilcal/.gnupg/trustedkeys.gpg': No such file or directory gpgv: Signature made Sat 10 Apr 2010 04:18:36 AM PDT using DSA key ID 0F932C9C gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./bash_4.1-3.dsc dpkg-source: error: cannot fstat file ./bash_4.1.orig.tar.gz: No such file or directory No key
CC: (none) => wilcal.int
In VirtualBox, M5, KDE, 64-bit Download bash_4.1-3_i386.deb from http.us.debian.org http.us.debian.org/debian/pool/main/b/bash/bash_4.1-3_i386.deb http.us.debian.org/debian/pool/main/b/bash/bash_4.1-3.dsc to /home/wilcal/dpkg_test Package(s) under test: dpkg default install of dpkg [root@localhost dpkg_test]# urpmi dpkg Package dpkg-1.17.25-2.mga5.x86_64 is already installed [wilcal@localhost dpkg_test]$ dpkg -x bash_4.1-3_i386.deb /home/wilcal/dpkg_test extracts packages. [root@localhost dpkg_test]# dpkg-source -x bash_4.1-3.dsc gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': No such file or directory gpgv: Signature made Sat 10 Apr 2010 04:18:36 AM PDT using DSA key ID 0F932C9C gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./bash_4.1-3.dsc dpkg-source: error: cannot fstat file ./bash_4.1.orig.tar.gz: No such file or directory No key. install dpkg from updates_testing [root@localhost dpkg_test]# urpmi dpkg Package dpkg-1.17.26-1.mga5.x86_64 is already installed extracts packages. [wilcal@localhost dpkg_test]$ dpkg-source -x bash_4.1-3.dsc gpgv: keyblock resource `/home/wilcal/.gnupg/trustedkeys.gpg': No such file or directory gpgv: Signature made Sat 10 Apr 2010 04:18:36 AM PDT using DSA key ID 0F932C9C gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./bash_4.1-3.dsc dpkg-source: error: cannot fstat file ./bash_4.1.orig.tar.gz: No such file or directory No key
David. Do we really need to do the dpkg-source thing on this bug?
(In reply to William Kenney from comment #7) > David. Do we really need to do the dpkg-source thing on this bug? That's not really impacted by this update, it sounds like you tested enough.
(In reply to David Walser from comment #8) > (In reply to William Kenney from comment #7) > > David. Do we really need to do the dpkg-source thing on this bug? > > That's not really impacted by this update, it sounds like you tested enough. It's outta here then. Thanks.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0482.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED