Bug 43147 - dpkg: Multiple issues (4.1)
dpkg: Multiple issues (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Philipp Hahn
Arvid Requate
https://www.first.org/cvss/calculator...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-09 14:06 CET by Philipp Hahn
Modified: 2017-08-31 12:38 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 6.1 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:F/RL:O/RC:C)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2016-12-09 14:06:08 CET
The following security update to dpkg was missed in our security tracking:

dpkg (1.16.18) wheezy; urgency=medium

  * Remove trailing space before handling blank line dot-separator in
    Dpkg::Control::Hash. Regression introduced in dpkg 1.16.16.
    Reported by Jakub Wilk <jwilk@debian.org>. Closes: #789580
  * Only use the SHELL environment variable for interactive shells.
    Closes: #788819
  * Move tar option --no-recursion before -T in dpkg-deb. With tar > 1.28 the
    --no-recursion option is now positional, and needs to be passed before
    the -T option, otherwise the tarball will end up with duplicated entries.
    Thanks to Richard Purdie <richard.purdie@linuxfoundation.org>.
    Closes: #807940
  * Initialize Config-Version also for packages previously in triggers-pending
    state, otherwise we end up not passing the previously configured version
    to «postinst configure», which might consider this a first install instead
    of an upgrade. Closes: #801156
  * Fix memory leaks in dpkg infodb format upgrade logic.
  * Fix physical file offset comparison in dpkg. Closes: #808912
    Thanks to Yuri Gribov <tetra2005@gmail.com>.
  * Do not accept empty field names in dpkg. Closes: #769111
  * When sys_siglist is defined in the system, try to use NSIG as we cannot
    compute the array size with sizeof(). If NSIG is missing fallback to 32
    items. Prompted by Igor Pashev <pashev.igor@gmail.com>.

 -- Guillem Jover <guillem@debian.org>  Sun, 20 Mar 2016 10:23:24 +0100

dpkg (1.16.17) wheezy-security; urgency=high

  [ Guillem Jover ]
  * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
    Reported by Jacek Wielemborek <d33tah@gmail.com>. Closes: #798324
  * Fix an off-by-one write access in dpkg-deb when parsing the old format
    .deb control member size. Thanks to Hanno Böck <hanno@hboeck.de>.
    Fixes CVE-2015-0860.
  * Fix an off-by-one read access in dpkg-deb when parsing ar member names.
    Thanks to Hanno Böck <hanno@hboeck.de>.

  [ Updated programs translations ]
  * Catalan (Jordi Mallach).

  [ Updated man page translations ]
  * Fix incorrect translation in German (Helge Kreutzmann)

 -- Guillem Jover <guillem@debian.org>  Wed, 25 Nov 2015 22:34:58 +0100
Comment 1 Philipp Hahn univentionstaff 2016-12-09 15:06:51 CET
Package: dpkg
Version: 1.16.18.105.201612091413
Branch: ucs_4.1-0
Scope: errata4.1-4

r75162 | Bug #43147: dpkg YAML
Comment 2 Arvid Requate univentionstaff 2016-12-12 20:31:15 CET
[Montag, 12. Dezember 2016] [14:39:04] <arvid>  phahn: das Advisory dpkg.yaml für errata4.1-4 referenziert http://forge.univention.org/bugzilla/show_bug.cgi?id=41965, das blockiert Janek vermutlich beim Release.
Comment 3 Philipp Hahn univentionstaff 2016-12-13 08:45:20 CET
(In reply to Arvid Requate from comment #2)
> [Montag, 12. Dezember 2016] [14:39:04] <arvid>  phahn: das Advisory
> dpkg.yaml für errata4.1-4 referenziert
> http://forge.univention.org/bugzilla/show_bug.cgi?id=41965, das blockiert
> Janek vermutlich beim Release.

And how is that related to THIS bug?
Comment 4 Arvid Requate univentionstaff 2016-12-13 12:48:04 CET
> And how is that related to THIS bug?

cat dpkg.yaml
===========================================================================
product: ucs
release: "4.1"
version: [3,4]
scope: ucs_4.1-0-errata4.1-4
src: dpkg
fix: 1.16.18.105.201612091413
desc: |
 This update addresses the following issues:
 * An off-by-one write access in dpkg-deb when parsing the old format
   .deb control member size has been fixed (CVE-2015-0860)
 * dpkg did not correctly handle the upgrade case, were a diverted conffile
   was moved between two packages. This has been fixed.
bug: [43147,41965]
cve:
 - CVE-2015-0860
===========================================================================

Bug #41965 is tagged to UCS 4.2 and open, so mentioning it in the advisory will block the errata release.
Comment 5 Arvid Requate univentionstaff 2016-12-13 12:52:18 CET
Ah, now you created Bug 43173 for that, thanks for been cooperative and mentioning that you fixed the yaml or referencing, or assigning the Bug for QA.
Comment 6 Janek Walkenhorst univentionstaff 2016-12-14 12:36:51 CET
<http://errata.software-univention.de/ucs/4.1/356.html>