Fedora has issued an advisory today (August 8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/64MG54Q347INMLYDW47XBYZQ3BQCXEXC/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Updated packages uploaded by Bruno. Advisory: ======================== Updated dpkg packages fix security vulnerability: A flaw was found dpkg which allows an attacker to perform a directory traversal by extracting with "dpkg-deb --raw-extract" a crafted .deb file with a /DEBIAN symlink (bdo#879982). References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879982 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/64MG54Q347INMLYDW47XBYZQ3BQCXEXC/ ======================== Updated packages in core/updates_testing: ======================== dpkg-1.18.25-1.mga6 perl-Dpkg-1.18.25-1.mga6 from dpkg-1.18.25-1.mga6.src.rpm
CC: (none) => brunoVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)Assignee: bruno => qa-bugs
Updates have been pushed into mga6 and cauldron (no update for 5 which is out of maintenance window now)
Status: NEW => ASSIGNED
MGA6-32 MATE on IBM Thinkpad R50e in Dutch No installation issues. Took some inspiration from bug 13279. Note that a lot of dpkg options return an error when no package has been yet installed. What produced decent feedback after downloading some .deb file: # dpkg --version Programma voor Debian pakketbeheer 'dpkg' versie 1.18.25 (i386). Dit is vrije programmatuur; zie de GNU General Public Licentie versie 2 of later voor kopieervoorwaarden. Er is GEEN garantie. Is OK # dpkg -c qr-code-creator_1.0_all.deb drwxr-xr-x root/root 0 2011-03-26 18:32 ./ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/man/ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/man/man1/ -rw-r--r-- root/root 385 2011-03-26 18:32 ./usr/share/man/man1/qr-code-creator.1.gz drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/pixmaps/ -rw-r--r-- root/root 238 2011-03-26 18:32 ./usr/share/pixmaps/qr-code-creator.png drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/doc/ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/doc/qr-code-creator/ -rw-r--r-- root/root 1235 2011-03-26 18:32 ./usr/share/doc/qr-code-creator/copyright -rw-r--r-- root/root 157 2011-03-26 18:32 ./usr/share/doc/qr-code-creator/changelog.gz drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/qr-code-creator/ drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/share/applications/ -rw-r--r-- root/root 217 2011-03-26 18:32 ./usr/share/applications/qr-code-creator.desktop drwxr-xr-x root/root 0 2011-03-26 18:32 ./usr/bin/ -rwxr-xr-x root/root 3717 2011-03-26 18:32 ./usr/bin/qr-code-creator Looks OK# dpkg -x qr-code-creator_1.0_all.deb ./tmp checked that above files have been created in the correct folders under ./tmp: all OK # dpkg --print-architecture i386 This all seems to work well.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
x86_64 Could not find a reproducer test file. Tried out the raw-extract command before updating. $ mkdir partclone $ dpkg-deb --raw-extract partclone_0.2.69-1_i386.deb ./partclone $ ls partclone DEBIAN/ usr/ Ran the update and tried that again. $ mkdir phoronix $ dpkg-deb --raw-extract phoronix-test-suite_5.2.1_all.deb ./phoronix $ ls phoronix DEBIAN/ etc/ usr/ Straightforward extraction: $ mkdir coapp $ dpkg -x net.downloadhelper.coapp-1.1.2-1_amd64.deb ./coapp $ tree coapp coapp ├── etc │ ├── chromium │ │ └── native-messaging-hosts │ │ └── net.downloadhelper.coapp.json │ └── opt │ └── chrome │ └── native-messaging-hosts │ └── net.downloadhelper.coapp.json ├── opt │ └── net.downloadhelper.coapp │ ├── bin │ │ └── net.downloadhelper.coapp-linux-64 │ ├── config.json │ ├── converter [...] │ │ └── libz.so.1 │ ├── LICENSE.txt │ └── README.txt └── usr └── lib └── mozilla └── native-messaging-hosts └── net.downloadhelper.coapp.json 17 directories, 43 files Echoed tests from comment 3. $ dpkg --version Debian 'dpkg' package management program version 1.18.25 (amd64). This is free software; see the GNU General Public License version 2 or later for copying conditions. There is NO warranty. $ dpkg --print-architecture amd64 $ dpkg -c partclone_0.2.69-1_i386.deb drwxr-xr-x root/root 0 2013-12-26 07:18 ./ drwxr-xr-x root/root 0 2013-12-26 07:18 ./usr/ drwxr-xr-x root/root 0 2013-12-26 07:18 ./usr/sbin/ -rwxr-xr-x root/root 67336 2013-12-26 07:18 ./usr/sbin/partclone.fat [...] lrwxrwxrwx root/root 0 2013-12-26 07:18 ./usr/share/man/man8/partclone.vmfs.8.gz -> partclone.8.gz lrwxrwxrwx root/root 0 2013-12-26 07:18 ./usr/share/man/man8/partclone.extfs.8.gz -> partclone.8.gz No regressions so OK for 64-bits.
CC: (none) => tarazed25
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA-64-OK
Whiteboard: MGA6-32-OK MGA-64-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0352.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED