Univention Bugzilla – Bug 52486
apt: Multiple issues (4.4)
Last modified: 2020-12-16 16:03:42 CET
New Debian apt 1.4.11A~4.4.7.202012140916 fixes: This update addresses the following issue: * APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1; (CVE-2020-27350)
--- mirror/ftp/4.4/unmaintained/4.4-5/source/apt_1.4.10A~4.4.0.202005191916.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/apt_1.4.11A~4.4.7.202012140916.dsc @@ -1,10 +1,22 @@ -1.4.10A~4.4.0.202005191916 [Tue, 19 May 2020 19:16:15 +0200] Univention builddaemon <buildd@univention.de>: +1.4.11A~4.4.7.202012140916 [Mon, 14 Dec 2020 09:20:45 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 01-fix-ftbfs 10_ignore_debian 11-silence-warning 13-use-ucs-keyring + +1.4.11 [Mon, 07 Dec 2020 13:45:23 +0100] Julian Andres Klode <jak@debian.org>: + + * SECURITY UPDATE: Integer overflow in parsing (LP: #1899193) + - apt-pkg/contrib/arfile.cc: add extra checks. + - apt-pkg/contrib/tarfile.cc: limit tar item sizes to 128 GiB + - apt-pkg/deb/debfile.cc: limit control file sizes to 64 MiB + - test/*: add tests. + - CVE-2020-27350 + * Additional hardening: + - apt-pkg/contrib/tarfile.cc: Limit size of long names and links to 1 MiB + + * Fix autopkgtest regression in 1.8.2.1 security update 1.4.10 [Tue, 12 May 2020 21:46:37 +0200] Julian Andres Klode <jak@debian.org>: <http://10.200.17.11/4.4-7/#3108217110409491816>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-7] 6df9922135 Bug #52486: apt 1.4.11A~4.4.7.202012140916 doc/errata/staging/apt.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x836>