[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ubuntu dpkg

Hey Colin!

On Thu, 2010-03-11 at 04:03:47 -0000, Ubuntu Merge-o-Matic wrote:
> This e-mail has been sent due to an upload to Ubuntu that contains Ubuntu
> changes.  It contains the difference between the new version and the
> previous version of the same source package in Ubuntu.

> Changes: 
>  dpkg ( lucid; urgency=high
>  .
>    * Backport from upstream:
>      - Use FIEMAP when available (on Linux based systems) to sort the .list
>        files loading order. With a cold cache it improves up to a 70%.
>        Thanks to Morten Hustveit <morten@debian.org>. LP: #442114
>      - Call fsync(2) after writing files on disk, to get the atomicity
>        guarantees when doing rename(2). Based on a patch by Jean-Baptiste
>        Lallement <jeanbaptiste.lallement@gmail.com>.
>        Closes: #430958, LP: #512096
>    * Security fixes by Rapha??l Hertzog, also backported from upstream
>      (CVE-2010-0396):
>      - Modify dpkg-source to error out when it would apply patches containing
>        insecure paths (with "/../") and also error out when it would apply a
>        patch through a symlink. Those checks are required as patch will
>        happily modify files outside of the target directory and unpacking a
>        source package should not be able to have any side-effect outside of
>        the target directory. LP: #532445
>      - Also error out when the quilt series contains a path with "/../" as
>        this can cause patch to create files outside of the source package due
>        to the -B .pc/$path option that it gets.

You might also want to cherry-pick these, which fix some minor security
related bugs, althought the Debian security team didn't consider them
worth a DSA (some are really corner cases):


And the database dir sync patches (there are some missing patches from
the series, but they should not be needed for the final one, although
I've not actually checked the convination, only split them so that
they could be ignored):


Or you could just wait for (or 1.15.7) to get into unstable,
although Raphaël tells me you guys have already frozen dpkg? :/


Reply to: