Debian DSA-2915-2 Critical: Dpkg Filename Quoting Security Issue
debian
April 30, 2014
Javier Serrano Polo discovered that the recent dpkg update introduced a vulnerability in systems where the patch utility did not support C-style filename quoting - such as the olds...
Topics Covered
Summary
Javier Serrano Polo discovered that the recent dpkg update introduced a
vulnerability in systems where the patch utility did not support
C-style filename quoting - such as the oldstable distribution
(squeeze). This revision of dpkg instead refuses to process patches
with C-style filename quoting altogether.
For reference, the original text of DSA-2915-1 is reproduced below:
Jakub Wilk discovered that dpkg did not correctly parse C-style
filename quoting, allowing for paths to be traversed when unpacking a
source package - leading to the creation of files outside the directory
of the source being unpacked.
For the oldstable distribution (squeeze), this problem has been fixed in
version 1.15.10.
For the stable distribution (wheezy), this problem has been fixed in
version 1.16.14.
For the testing distribution (jessie), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 1.17.9.
We recommend that you upgrade your dpkg packages.
Further information ...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: dpkg
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!