Accepted dpkg 1.16.16 (source amd64 all) into proposed-updates->stable-new, proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 09 Apr 2015 08:45:47 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.16.16
Distribution: wheezy-security
Urgency: high
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 731530 751021 760690 768485 769119
Changes:
dpkg (1.16.16) wheezy-security; urgency=high
.
[ Guillem Jover ]
* Do not leak long tar names on bogus or truncated archives.
* Do not leak the filepackages iterator when a directory is used by other
packages.
* Do not leak color string on «dselect --color».
* Fix memory leaks when parsing alternatives.
* Fix memory leaks in buffer_copy() on error conditions.
* Fix possible out of bounds buffer read access in the error output on
bogus ar member sizes.
* Fix file triggers/Unincorp descriptor leak on subprocesses. Regression
introduced with the initial triggers implementation in dpkg 1.14.17.
Closes: #751021
* Fix a descriptor leak on dselect subprocesses when --debug is used.
* Do not run qsort() over the scandir() list in libcompat if it is NULL.
* Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and
GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX.
Although this should not have security implications as the buffer is
surrounded by two arrays (so those catch accesses even if the stack
grows up or down), and we are compiling with -fstack-protector anyway.
* Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that
prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe.
Closes: #731530
* Fix off-by-one error in libdpkg command argv size calculation.
Based on a patch by Bálint Réczey <balint@balintreczey.hu>. Closes: #760690
* Escape package and architecture names on control file parsing warning,
as those get injected into a variable that is used as a format string,
and they come from the package fields, which are under user control.
Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485
Reported by Joshua Rogers <megamansec@gmail.com>.
* Do not match partial field names in control files. Closes: #769119
Regression introduced in dpkg 1.10.
* Fix out-of-bounds buffer read accesses when parsing field and trigger
names or checking package ownership of conffiles and directories.
Reported by Joshua Rogers <megamansec@gmail.com>.
* Add powerpcel support to cputable. Thanks to Jae Junh <jaejunh@embian.com>.
* Fix OpenPGP Armor Header Line parsing in Dpkg::Control::Hash. We should
only accept [\r\t ] as trailing whitespace, although RFC4880 does not
clarify what whitespace really maps to, we should really match the GnuPG
implementation anyway, as that's what we use to verify the signatures.
Reported by Jann Horn <jann@thejh.net>. Fixes CVE-2015-0840.
.
[ Raphaël Hertzog ]
* Drop myself from Uploaders.
.
[ Updated scripts translations ]
* Fix typos in German (Helge Kreutzmann)
* Swedish (Peter Krefting).
.
[ Updated man page translations ]
* Fix typos in German (Helge Kreutzmann)
* Swedish (Peter Krefting).
Checksums-Sha1:
3de1850b4d0d9d961b0ef8ded13fa6cdf7b6e60f 1960 dpkg_1.16.16.dsc
719559dbcba31624967e244d85f1c16e83ae6462 3804836 dpkg_1.16.16.tar.xz
cd26dc64894ac425c77bf6fb4f837979bba19a85 701048 libdpkg-dev_1.16.16_amd64.deb
af5cb382dbe4579c3bd3f2d36771195aa06478fd 2661926 dpkg_1.16.16_amd64.deb
fd757acd9f23200ec73f67e5cfea0f0c1b50ecb6 1164376 dselect_1.16.16_amd64.deb
8bb26282909eae2fb6809611cb82d53339cc7a1b 1362150 dpkg-dev_1.16.16_all.deb
133abfb153a0d623eb54b2af060129744ef8b214 963272 libdpkg-perl_1.16.16_all.deb
Checksums-Sha256:
a5564eed3d0107a8020f9ddbd0c86fc45e66239aa25da12e784b171ea11d49bf 1960 dpkg_1.16.16.dsc
d25045e39aeb1a6e99156e1d4b8c7672bf69b54e5f853336982e62c7a04e8ef2 3804836 dpkg_1.16.16.tar.xz
d8f54e4191caa7f168148ea4bf2edd29fdda4c6d54456764ca09bfb0faba315c 701048 libdpkg-dev_1.16.16_amd64.deb
1fbdaa1e798051f7e86f4e71de4f70c88f566dd8e9d25cc8cea6fa84e813f49e 2661926 dpkg_1.16.16_amd64.deb
422155a70210449141bdb79c87944e4461c7965aa8a5a893236c030185c7c574 1164376 dselect_1.16.16_amd64.deb
5cc278ad04eedd50503a65dbaedd99237dd5b49a6736b39d478fbba41460902e 1362150 dpkg-dev_1.16.16_all.deb
d83d1a0dfce9dee200b1b92625b433b61adc1d75d92ec4a4ee19f597e4c7e7ad 963272 libdpkg-perl_1.16.16_all.deb
Files:
e626e497efabc3d1b73fd5a7e6c1f2ff 1960 admin required dpkg_1.16.16.dsc
88d0e4c98ecb8afe6dee896a2aa9665d 3804836 admin required dpkg_1.16.16.tar.xz
b4f2ba40806697f3ae59b07234ed9288 701048 libdevel optional libdpkg-dev_1.16.16_amd64.deb
c23c0927ef326b99136a2ca9493648e5 2661926 admin required dpkg_1.16.16_amd64.deb
3c350a2202d5d017d16a9f1c04606587 1164376 admin optional dselect_1.16.16_amd64.deb
33969be64b612674e2e18c3c62ca4364 1362150 utils optional dpkg-dev_1.16.16_all.deb
23bdcfb587bb2db5d2e9e27a5ad89aca 963272 perl optional libdpkg-perl_1.16.16_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVJiLjAAoJELlyvz6krlejh1cQAKfshLTzi5aQbCUNpqdrs45Q
OqYBkDpCFdRgKdWu4t8SmJBpDrn0o88UwhIg23qnur/fYVgt6+IRZnQR1r4ZCzHJ
PA76ezXK7aBt0a0x/42VosMimBQ0uuojlrHekbJfls4kt1IyXjp1el0PTjYGIFdX
uBX0Gw05wTbHPB34Oskxzo2KsrBNX1+F4W5nFrMW1OEU0iMsolfmz4RvbPTuX/k4
nvkgSGfmatJgRnE1har0c26fFKaEGuz+KAIjGquDMeebmhj0pb1j93P5wkY77Jfu
HMSWjvL4mSpPClKQATCxg+igriwJnfUckgz8HrGJtYTU+jqo01puZ4Saazfg20Zc
ClQz0YWxTSd8tsqtdc7H7rS3R+Xo4VYa685rapK9RREdxKkL6yJWm03yShtZQ7Iu
b7DKMps0dvAg0c3CyYw1X9MM3gO2IZwtneywjc+E5IkBk1dfPE7oaNSE7smsGt4l
j32Zh/UBEYiUC6p1f3FnaMXToyicK1+16/LJWl0GDredkkmtssedExVcBazxs0qo
FjefjLpvk18yi87bDhvt23zvc/bogxjeaCLh5yvdUfBPAR8KxOZgzeYHSpReFO1u
kUlCds/yiU2KG+eYzrA/IR2SAPIItydwtZ9M1oevbw0trDYlmoB61Tq5jt29gjMT
1LyYsDSL82naOWw9n3Wg
=AtLH
-----END PGP SIGNATURE-----
Reply to: