Your message dated Sat, 11 Oct 2014 04:33:42 +0000
with message-id <[email protected]>
and subject line Bug#737160: fixed in devscripts 2.14.8
has caused the Debian Bug report #737160,
regarding uupdate: CVE-2014-1833: symlink directory traversal
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
737160: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737160
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: devscripts
Version: 2.14.1
Tags: security
A malicious .orig.tar file can trick uupdate into patching files outside
the source package directory. Proof of concept:
$ apt-get source -qq chewmail
gpgv: Signature made Tue Aug 15 08:10:17 2006 CEST using DSA key ID 16D970C6
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./chewmail_1.2-1.dsc
dpkg-source: info: extracting chewmail in chewmail-1.2
dpkg-source: info: unpacking chewmail_1.2.orig.tar.gz
dpkg-source: info: applying chewmail_1.2-1.diff.gz
$ cd chewmail-1.2/
$ ls /tmp/*
ls: cannot access /tmp/*: No such file or directory
$ uupdate -v2 /path/to/chewmail-2.tar.gz
New Release will be 2-1.
Symlinking to pristine source from chewmail_2.orig.tar.gz...
-- Untarring the new sourcecode archive /path/to/chewmail-2.tar.gz
Success! The diffs from version 1.2-1 worked fine.
Remember: Your current directory is the OLD sourcearchive!
Do a "cd ../chewmail-2" to see the new package
$ ls /tmp/*
/tmp/changelog /tmp/compat /tmp/control /tmp/copyright /tmp/rules
--
Jakub Wilk
chewmail-2.tar.gz
Description: Binary data
--- End Message ---
--- Begin Message ---
Source: devscripts
Source-Version: 2.14.8
We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated devscripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 11 Oct 2014 00:22:34 -0400
Source: devscripts
Binary: devscripts
Architecture: source amd64
Version: 2.14.8
Distribution: unstable
Urgency: medium
Maintainer: James McCoy <[email protected]>
Changed-By: James McCoy <[email protected]>
Description:
devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 737160 764367
Changes:
devscripts (2.14.8) unstable; urgency=medium
.
[ James McCoy ]
* uscan:
+ Ensure $keyring is defined before trying to use it when checking whether
the upstream keyring exists.
+ Strip the Referer header when using qa.debian.org's Sourceforge
redirector. When there's a foreign Referer header, Sourceforge responds
with a web page containing a <meta refresh=...> redirect to the actual
file, causing uscan to save the web page rather than the file. (Closes:
#764367)
* uupdate: When updating a 1.0 source format package, remove any symlinks in
the new upstream source before applying the Debian diff, restoring the
symlinks after. This prevents patch from following the symlinks, which
may point to targets outside of the source tree, when applying the diff.
Thanks to Jakub Wilk for the discovery and suggested fix.
(Closes: #737160, CVE-2014-1833)
.
[ Ron Lee ]
* cowpoke: Add --sign and --upload command line overrides.
Checksums-Sha1:
a852ec4483abcb9d9a2d3d3d46ba323fb6d4562b 2236 devscripts_2.14.8.dsc
d722277952c69996a2e7ab7e14ac324ecb25edb0 607240 devscripts_2.14.8.tar.xz
b52e75dcaf05d316e4d3e509e223f900ea2ff6ce 898224 devscripts_2.14.8_amd64.deb
Checksums-Sha256:
f234b68b85c98c3e7305800056833b238e7a936049dec598fa03821975d141ff 2236
devscripts_2.14.8.dsc
4e188e60bfe9597d9a7e5162cb45ea88336914fb60d102ded31e90fde67dc407 607240
devscripts_2.14.8.tar.xz
e454706b8d7fc12bdb6d5f190392c6e5f0e063198ec90ae14f9819ef480e78f0 898224
devscripts_2.14.8_amd64.deb
Files:
b65ec1cb215442045b7adf5a33c5dd57 2236 devel optional devscripts_2.14.8.dsc
446fa259995c261a2d329ed1270660f6 607240 devel optional devscripts_2.14.8.tar.xz
c889ed63630fa0f66a360055dd2d353d 898224 devel optional
devscripts_2.14.8_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUOLHKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MUJGQkY0RDY5NTZCRDVERjdCNzJEMjNE
RkU2OTFBRTMzMUJBM0RCAAoJEN/mka4zG6PbNJYP/11T7d31T9na8sAWoS0C9zbs
kHPGtG85QI/N60uJ4ENcCTvHkNqNmd/z3VyA8bGePMTzEUXmu//y8sXn+utwfSqb
ZHcwLR9UGfQ+SRdNMKI5B1dz4aZm6iw/dpgRIK/qkhAcz1Tm9dRQV01bXhpj2rNQ
/YMpYF+NdDjrB6JMxsz7k3ZhNLFg4z6sTYRroSMYpZXrhlyxIcF0BxYkkCsA5cR7
5E5kt76wvOYnM7cSWgBO5L7subwBNqaVBS5Zr0IJqTyeU1xx1Xbk+ac80BSOASyI
X/pDroHAPCGnklHoSi0RFheBMWVwnZM3Qk/eVrsbS7m8y8IpefZ9YuTV+s+wJISO
dKUelWMhE8tDKOzqBH5KzqVrxkhExj4+/mk9G8eHTNOX1985XhftYUHwI+gmwDrN
VoQ3NU70FUdJ+lFPym52pPZo5A9qMzbQgamTLUxu3i8u7zvptWQSllMNh4ell8MA
ANlSD4bXMC8PFUZw7ki/kclqdBlTuamtdMyaiIQnl2F5haGbMnnaVr/lhaF2lwRs
vBG/L7rwOd67FgbyQEdvnJ6hhHY38zozb83KOwF+5PRal0TDOdIW+o0dnjTmFXTp
FflCqiCC5XHcJxAHrE+lVQ8Hc8Vk/J42U5l+Sq4iJ9QoRMEl3CW0KKLvmEcpg6BR
OzM2he0L286IQX6zCpsa
=8hR3
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
devscripts-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
