Re: Ubuntu dpkg 1.15.5.6ubuntu2
Hey Colin!
On Thu, 2010-03-11 at 04:03:47 -0000, Ubuntu Merge-o-Matic wrote:
> This e-mail has been sent due to an upload to Ubuntu that contains Ubuntu
> changes. It contains the difference between the new version and the
> previous version of the same source package in Ubuntu.
> Changes:
> dpkg (1.15.5.6ubuntu2) lucid; urgency=high
> .
> * Backport from upstream:
> - Use FIEMAP when available (on Linux based systems) to sort the .list
> files loading order. With a cold cache it improves up to a 70%.
> Thanks to Morten Hustveit <morten@debian.org>. LP: #442114
> - Call fsync(2) after writing files on disk, to get the atomicity
> guarantees when doing rename(2). Based on a patch by Jean-Baptiste
> Lallement <jeanbaptiste.lallement@gmail.com>.
> Closes: #430958, LP: #512096
> * Security fixes by Rapha??l Hertzog, also backported from upstream
> (CVE-2010-0396):
> - Modify dpkg-source to error out when it would apply patches containing
> insecure paths (with "/../") and also error out when it would apply a
> patch through a symlink. Those checks are required as patch will
> happily modify files outside of the target directory and unpacking a
> source package should not be able to have any side-effect outside of
> the target directory. LP: #532445
> - Also error out when the quilt series contains a path with "/../" as
> this can cause patch to create files outside of the source package due
> to the -B .pc/$path option that it gets.
You might also want to cherry-pick these, which fix some minor security
related bugs, althought the Debian security team didn't consider them
worth a DSA (some are really corner cases):
4c9d2d0eeed8b077a19da5bac5f2e8183e27e850
ffccc65580189420a0a64736bba0fb661de56dcb
7738fe5398d6610723c3def2ddc50eea1a73c327
And the database dir sync patches (there are some missing patches from
the series, but they should not be needed for the final one, although
I've not actually checked the convination, only split them so that
they could be ignored):
a35f0e37a46b2e3721149a25c36f3352c1cdf881
15daa22fa94d19cc059d2755e5164db1a3a62791
ab9482eb45e27a0b0c058a2662b28b7d3642173d
20fdb395cc721a5060c5623eda956d73ea840a21
Or you could just wait for 1.15.6.1 (or 1.15.7) to get into unstable,
although Raphaël tells me you guys have already frozen dpkg? :/
regards,
guillem
Reply to: