Re: Ubuntu dpkg 1.15.5.6ubuntu2

To: Colin Watson <cjwatson@ubuntu.com>
Cc: debian-dpkg@lists.debian.org
Subject: Re: Ubuntu dpkg 1.15.5.6ubuntu2
From: Guillem Jover <guillem@debian.org>
Date: Fri, 12 Mar 2010 05:30:33 +0100
Message-id: <20100312043033.GB12521@gaara.hadrons.org>
Mail-followup-to: Colin Watson <cjwatson@ubuntu.com>, debian-dpkg@lists.debian.org
In-reply-to: <20100311040347.25323.39149@casey.canonical.com>
References: <20100311040347.25323.39149@casey.canonical.com>

Hey Colin!

On Thu, 2010-03-11 at 04:03:47 -0000, Ubuntu Merge-o-Matic wrote:
> This e-mail has been sent due to an upload to Ubuntu that contains Ubuntu
> changes.  It contains the difference between the new version and the
> previous version of the same source package in Ubuntu.

> Changes: 
>  dpkg (1.15.5.6ubuntu2) lucid; urgency=high
>  .
>    * Backport from upstream:
>      - Use FIEMAP when available (on Linux based systems) to sort the .list
>        files loading order. With a cold cache it improves up to a 70%.
>        Thanks to Morten Hustveit <morten@debian.org>. LP: #442114
>      - Call fsync(2) after writing files on disk, to get the atomicity
>        guarantees when doing rename(2). Based on a patch by Jean-Baptiste
>        Lallement <jeanbaptiste.lallement@gmail.com>.
>        Closes: #430958, LP: #512096
>    * Security fixes by Rapha??l Hertzog, also backported from upstream
>      (CVE-2010-0396):
>      - Modify dpkg-source to error out when it would apply patches containing
>        insecure paths (with "/../") and also error out when it would apply a
>        patch through a symlink. Those checks are required as patch will
>        happily modify files outside of the target directory and unpacking a
>        source package should not be able to have any side-effect outside of
>        the target directory. LP: #532445
>      - Also error out when the quilt series contains a path with "/../" as
>        this can cause patch to create files outside of the source package due
>        to the -B .pc/$path option that it gets.

You might also want to cherry-pick these, which fix some minor security
related bugs, althought the Debian security team didn't consider them
worth a DSA (some are really corner cases):

  4c9d2d0eeed8b077a19da5bac5f2e8183e27e850
  ffccc65580189420a0a64736bba0fb661de56dcb
  7738fe5398d6610723c3def2ddc50eea1a73c327

And the database dir sync patches (there are some missing patches from
the series, but they should not be needed for the final one, although
I've not actually checked the convination, only split them so that
they could be ignored):

  a35f0e37a46b2e3721149a25c36f3352c1cdf881
  15daa22fa94d19cc059d2755e5164db1a3a62791
  ab9482eb45e27a0b0c058a2662b28b7d3642173d
  20fdb395cc721a5060c5623eda956d73ea840a21

Or you could just wait for 1.15.6.1 (or 1.15.7) to get into unstable,
although Raphaël tells me you guys have already frozen dpkg? :/

regards,
guillem

Reply to:

Follow-Ups:
- Re: Ubuntu dpkg 1.15.5.6ubuntu2
  - From: Colin Watson <cjwatson@debian.org>

References:
- Ubuntu dpkg 1.15.5.6ubuntu2
  - From: Ubuntu Merge-o-Matic <mom@ubuntu.com>

Prev by Date: dpkg_1.15.6_amd64.changes is NEW
Next by Date: dpkg 1.15.6 is slow as hell
Previous by thread: Ubuntu dpkg 1.15.5.6ubuntu2
Next by thread: Re: Ubuntu dpkg 1.15.5.6ubuntu2
Index(es):
- Date
- Thread