** Description changed: SRU Justification: [ Impact ] Fixes CVE-2025-6297 When extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data, the code in charge of the temporary directory cleanup does not sanitize the directory permissions, which is then unable to perform the «rm -rf» when running as a non-root user, leaving temporary files behind. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up with a DoS scenario due to causing disk quota exhaustion or disk full conditions. This is considered a minor issue, given the required conditions to trigger a problem with it, but an issue non the less given the documented security guarantees of the command. This has been an issue since the initial commit introducing dpkg-deb in C. We use an existing string for the error message to avoid new strings needing translation for stable branches, which make the error message less descriptive than what would be ideal. This will be improved in git HEAD. Reported-by: zhutyra on HackerOne Fixes: CVE-2025-6297 Stable-Candidate: 1.20.x 1.21.x 1.22.x [ Test Plan ] The fix includes a testcase. To manually test using the testcase, create a test directory, i.e.testdir, and cd into it. - Generate control file for a deb mkdir -p pkg-ctrl-dir-perms/DEBIAN touch pkg-ctrl-dir-perms/DEBIAN/control cat << pkg-ctrl-dir-perms/DEBIAN/control > EOF Package: pkg-ctrl-dir-perms Version: 1.0 Section: test Priority: extra Architecture: all Maintainer: Anybody <anybody@anybody> Description: Package to test CVE-2025-6297 EOF - Create and build the deb - debdpkg-deb --root-owner-group -Znone -b pkg-ctrl-dir-perms + dpkg-deb --root-owner-group -Znone -b pkg-ctrl-dir-perms - Extract contents of the deb dpkg-deb -R pkg-ctrl-dir-perms.deb pkg-ctrl-dir-perms-bad - Create a deb with bad permissions mkdir -p pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner touch pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner/file chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner tar cf control.tar --format=gnu --mtime @0 --clamp-mtime --owner root:0 --group root:0 -C pkg-ctrl-dir-perms-bad/DEBIAN . ar rc pkg-ctrl-dir-perms control.tar - extract the control file and verify the permissions dpkg-deb --ctrl-tarfile pkg-ctrl-dir-perms.deb | $TAR tvf - - Check that cleanup the temporarily extracted control member (This will fail on a system without the fix with an error message and leave files in the temporary directory created) dpkg-deb -I pkg-ctrl-dir-perms.deb [ Where problems could occur ] When extracting, this patch will walk a given directory and change the permissions on any child directories to 755, so that the cleanup can remove the files on disk for non-root users. Permissions on the parent directory (/tmp) of the temporary directory could possibly still prevent non-root users from cleaning up. [ Other Info ] Because noble and jammy do not implement some of the newer test macros in dpkg, direct calls to the ar command were substituted in the testcase for creating archive.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122053 Title: dpkg-deb: Fix cleanup for control member with restricted directories To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/2122053/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
