From: Wenzong Fan <[email protected]> Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting."
The following changes since commit 8e0c54cd0e82ffe120f84f495101cd29e6fd06bf: bitbake: bb/utils: fix contains_any() (2014-06-12 17:47:59 +0100) are available in the git repository at: git://git.pokylinux.org/poky-contrib wenzong/dpkg http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/dpkg Guillem Jover (2): Dpkg::Source::Patch: Correctly parse C-style diff filenames Dpkg::Source::Patch: Outright reject C-style filenames in patches .../dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch | 49 ++++++++++++ .../dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch | 83 ++++++++++++++++++++ meta/recipes-devtools/dpkg/dpkg_1.17.4.bb | 2 + 3 files changed, 134 insertions(+) create mode 100644 meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch create mode 100644 meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch -- 1.7.9.5 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
