Bug 47503 - dpkg: Multiple issues (4.3)
dpkg: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P5 normal (vote)
: UCS 4.3-1-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-08 12:52 CEST by Quality Assurance
Modified: 2018-08-15 13:14 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 0.0 ()


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-08-08 12:52:11 CEST
New Debian dpkg 1.18.25 fixes:
This update addresses the following issue(s):
* 

1.18.25 (Tue, 26 Jun 2018 12:28:08 +0200) [ Guillem Jover ] * Parse start-stop-daemon usernames and groupnames starting with digits in -u and -c correctly. Reported by Bodo Eggert <7eggert@online.de>. * Always use the binary version for the .buildinfo filename in dpkg-genbuildinfo. Reported by Raphaël Hertzog <hertzog@debian.org>. * Fix integer overflow in deb(5) format version parser. * Fix directory traversal with dpkg-deb --raw-extract, by guaranteeing that the DEBIAN pathname does not exist. Reported by Jakub Wilk <jwilk@jwilk.net>. * Do not try to recompute hashes for the .dsc file when signing binary-only builds in dpkg-buildpackage. Reported by Ximin Luo <infinity0@debian.org>. * Architecture support: - Add support for riscv64 CPU. Thanks to Manuel A. Fernandez Montecelo <mafm@debian.org> * Perl modules: - Do not normalize args past a passthrough stop word in Dpkg::Getopt. Some commands pass some arguments through to another command, and those must not be normalized as that might break their invocation. Reported by Helmut Grohne <helmut@subdivi.de>. * Documentation: - Update buildinfo information in dpkg-buildpackage man page to match the current implementation. - Use correct name for archname validator value in dpkg(1) man page. Reported by Niels Thykier <niels@thykier.net. - Update git URLs for move away from alioth.debian.org. * Packaging: - Add versioned Build-Depends on tar, due to the --clamp-mtime option being used in Dpkg::Source::Archive which is used by dpkg-source, used by the test suite. [ Updated programs translations ] * Dutch (Frans Spiesschaert). * German (Sven Joachim). * Italian (Pietro Battiston, Milo Casagrande). * Portuguese (Miguel Figueiredo). * Simplified Chinese (Zhou Mo, Boyuan Yang). * Spanish (Javier Fernandez-Sanguino). * Turkish (Mert Dirik). [ Updated man pages translations ] * German (Helge Kreutzmann).
Comment 1 Quality Assurance univentionstaff 2018-08-08 19:09:57 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/dpkg_1.18.24.dsc
+++ apt/ucs_4.3-0-errata4.3-1/source/dpkg_1.18.25.dsc
@@ -1,3 +1,50 @@
+1.18.25 [Tue, 26 Jun 2018 12:28:08 +0200] Guillem Jover <guillem@debian.org>:
+
+  [ Guillem Jover ]
+  * Parse start-stop-daemon usernames and groupnames starting with digits in
+    -u and -c correctly. Reported by Bodo Eggert <7eggert@online.de>.
+  * Always use the binary version for the .buildinfo filename in
+    dpkg-genbuildinfo. Reported by Raphaël Hertzog <hertzog@debian.org>.
+    Closes: #869236
+  * Fix integer overflow in deb(5) format version parser.
+    Closes: #868356
+  * Fix directory traversal with dpkg-deb --raw-extract, by guaranteeing
+    that the DEBIAN pathname does not exist. Closes: #879982
+    Reported by Jakub Wilk <jwilk@jwilk.net>.
+  * Do not try to recompute hashes for the .dsc file when signing binary-only
+    builds in dpkg-buildpackage. Reported by Ximin Luo <infinity0@debian.org>.
+  * Architecture support:
+    - Add support for riscv64 CPU. Closes: #822914
+      Thanks to Manuel A. Fernandez Montecelo <mafm@debian.org>
+  * Perl modules:
+    - Do not normalize args past a passthrough stop word in Dpkg::Getopt.
+      Some commands pass some arguments through to another command, and
+      those must not be normalized as that might break their invocation.
+      Reported by Helmut Grohne <helmut@subdivi.de>.
+  * Documentation:
+    - Update buildinfo information in dpkg-buildpackage man page to match
+      the current implementation.
+    - Use correct name for archname validator value in dpkg(1) man page.
+      Reported by Niels Thykier <niels@thykier.net.
+    - Update git URLs for move away from alioth.debian.org.
+  * Packaging:
+    - Add versioned Build-Depends on tar, due to the --clamp-mtime option
+      being used in Dpkg::Source::Archive which is used by dpkg-source,
+      used by the test suite. Closes: #877330
+
+  [ Updated programs translations ]
+  * Dutch (Frans Spiesschaert).
+  * German (Sven Joachim).
+  * Italian (Pietro Battiston, Milo Casagrande).
+  * Portuguese (Miguel Figueiredo).
+  * Simplified Chinese (Zhou Mo, Boyuan Yang).
+  * Spanish (Javier Fernandez-Sanguino).
+  * Turkish (Mert Dirik).
+
+  [ Updated man pages translations ]
+  * Dutch (Frans Spiesschaert).
+  * German (Helge Kreutzmann).
+
 1.18.24 [Wed, 17 May 2017 13:16:25 +0200] Guillem Jover <guillem@debian.org>:
 
   [ Guillem Jover ]

<http://10.200.17.11/4.3-1/#5735279584071574569>
Comment 2 Philipp Hahn univentionstaff 2018-08-09 09:04:56 CEST
OK: patches
OK: piuparts
OK: yaml
OK: errata-announce dpkg.yaml

[4.3-1] 161548f8db Bug #47503: dpkg 1.18.25
 doc/errata/staging/dpkg.yaml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-08-15 13:14:47 CEST
<http://errata.software-univention.de/ucs/4.3/175.html>