Your message dated Wed, 07 May 2014 22:47:36 +0000
with message-id <[email protected]>
and subject line Bug#746306: fixed in dpkg 1.15.10
has caused the Debian Bug report #746306,
regarding dpkg: CVE-2014-0471 fix introduces the vulnerability into squeeze
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
746306: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dpkg
Version: 1.15.9
Tags: security squeeze
As far as I see, escaping file names was added to diffutils in 2012. The
feature is not present in a squeeze environment. CVE-2014-0471 does not
apply.
Directory traversal during unpack is possible now. I will wait one day
before releasing an exploit package.
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---
Source: dpkg
Source-Version: 1.15.10
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 30 Apr 2014 15:15:09 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.15.10
Distribution: squeeze-security
Urgency: high
Maintainer: Dpkg Developers <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 746306
Changes:
dpkg (1.15.10) squeeze-security; urgency=high
.
[ Guillem Jover ]
* Do not allow patch files with C-style encoded filenames. Closes: #746306
Unconditionally fixes CVE-2014-0471.
Checksums-Sha1:
f2209ccc7d4826f0f12b2ba4993d71b0bc247284 1844 dpkg_1.15.10.dsc
f2c72b7a9bfccad2cabca9398b139a2b732f6b2b 5264376 dpkg_1.15.10.tar.bz2
1b4aae62081e28bf0a58f9ce4f3047b9408371c2 438696 libdpkg-dev_1.15.10_amd64.deb
fc74f45f518a9428bf510cb025cf23cbf68401c5 2399996 dpkg_1.15.10_amd64.deb
3dda8b3580dfc8b77f8da8679c9624567cff12f2 907360 dselect_1.15.10_amd64.deb
45f4b535a700be1ce115b0c8f28bcc60af2a927c 813812 dpkg-dev_1.15.10_all.deb
06d85c884192a9940037809c1e385fb925a9854d 695864 libdpkg-perl_1.15.10_all.deb
Checksums-Sha256:
91f80b5d11ca42698c36cc984ca01214e5cf4938622c0f210db31cb7b968f37b 1844
dpkg_1.15.10.dsc
dd89a48007b3532e44e2da205138f734b5de61a97610a24014ce7b2177e60cd4 5264376
dpkg_1.15.10.tar.bz2
fdf1138477a7d5d57411097a6072bbf3d81c274eb6c1248bade560925c2578ae 438696
libdpkg-dev_1.15.10_amd64.deb
0354df07175db056962e4d4e945a58276d5a46d9adccadb65985a63857558a22 2399996
dpkg_1.15.10_amd64.deb
10506c4a2be38d3aaafbea7fed88c64158a8d1525e3aef999e05f85bc5fd567a 907360
dselect_1.15.10_amd64.deb
c521126f45747849abac8fb6943203e60c9c0724d7cbcffcb2521957d05aae07 813812
dpkg-dev_1.15.10_all.deb
07fb89dae2acd61246880d2f4c13052944cca681b2c72acfa119fed039a52c8a 695864
libdpkg-perl_1.15.10_all.deb
Files:
fc1e5c58b6df4390f5733677af8cec8b 1844 admin required dpkg_1.15.10.dsc
1f51f4bb93799e7c338bc5fbe71d1ed1 5264376 admin required dpkg_1.15.10.tar.bz2
8c9840b53bdcd34fbac53e930ae04089 438696 libdevel optional
libdpkg-dev_1.15.10_amd64.deb
db86693607163dcfc60fa8ba199b9ed2 2399996 admin required dpkg_1.15.10_amd64.deb
97cba51293bc2ed88435b73c5352729a 907360 admin optional
dselect_1.15.10_amd64.deb
4702e61f79e457c53de584a3d59199fb 813812 utils optional dpkg-dev_1.15.10_all.deb
7e0dbbb37721a7f9323424fbfdd03d55 695864 perl optional
libdpkg-perl_1.15.10_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJTYP4AAAoJELlyvz6krlejfpAQAMGr8MmviKl0EV16c2BWeGHO
1sZcJY3KQo4CRMFge3EAapN02udQUFPGqKIELLO4Qz7mNEI7U+xMQNaLr2rmNXkj
pqy0y96IApEty9Icca31EiVZ9gKlVV9Cundz1KOUGCr6lVrzz/3N6oT3FMdSG3Yr
o93jWbLDXwjnMqyFHK2KrRPv0JPqw4LoxThH6v4v1kyPHSreBshbov0YArjbDN48
W2zdNZd3KG6MGQIXbJq/PlGqPvQus/Us9UbCydGHxI2zExsyUOD+XcVh7PxlmNLx
3HhI9dmUf9XGrZuNRrAS1rz43LnRbwI1foV4xhKqfoO5bu6d1A0eHf9FMGArKYzE
o2Zkle6X2ALB7K+8JJGXaUCtcUkg/fTsyLyrclfNvrY2usGNg9TvV/MkPW5AXa4y
r1Y+3qMfndHuNcPeBuv+GvjHEMzM/XTuo9ybTOsjQXTK+rchVFjNzYVTTtEwm+S2
KGM9fEu/cf7njFZS/6WeeWwrMcn0gcXIBVb6KWAXlF0UV6AZg6c3IGRtuyWkSAId
7+/THGSbKiN4dZaSNsfdYaSR5yiAm4ASoHlw+wsit8nSG8WZOqQpIo2H56ERzelo
a/f4UsHVEnFmMCcjM7GpHZwmameetyTRTAFIbFa26JxzjlGrtZNt7UOgTWCwzVNk
VH2dlvJlBxWYvLyQ20Jn
=U5G2
-----END PGP SIGNATURE-----
--- End Message ---
