[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Accepted dpkg 1.16.16 (source amd64 all) into proposed-updates->stable-new, proposed-updates

Hash: SHA256

Format: 1.8
Date: Thu, 09 Apr 2015 08:45:47 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.16.16
Distribution: wheezy-security
Urgency: high
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 731530 751021 760690 768485 769119
 dpkg (1.16.16) wheezy-security; urgency=high
   [ Guillem Jover ]
   * Do not leak long tar names on bogus or truncated archives.
   * Do not leak the filepackages iterator when a directory is used by other
   * Do not leak color string on «dselect --color».
   * Fix memory leaks when parsing alternatives.
   * Fix memory leaks in buffer_copy() on error conditions.
   * Fix possible out of bounds buffer read access in the error output on
     bogus ar member sizes.
   * Fix file triggers/Unincorp descriptor leak on subprocesses. Regression
     introduced with the initial triggers implementation in dpkg 1.14.17.
     Closes: #751021
   * Fix a descriptor leak on dselect subprocesses when --debug is used.
   * Do not run qsort() over the scandir() list in libcompat if it is NULL.
   * Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and
     GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX.
     Although this should not have security implications as the buffer is
     surrounded by two arrays (so those catch accesses even if the stack
     grows up or down), and we are compiling with -fstack-protector anyway.
   * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that
     prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe.
     Closes: #731530
   * Fix off-by-one error in libdpkg command argv size calculation.
     Based on a patch by Bálint Réczey <balint@balintreczey.hu>. Closes: #760690
   * Escape package and architecture names on control file parsing warning,
     as those get injected into a variable that is used as a format string,
     and they come from the package fields, which are under user control.
     Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485
     Reported by Joshua Rogers <megamansec@gmail.com>.
   * Do not match partial field names in control files. Closes: #769119
     Regression introduced in dpkg 1.10.
   * Fix out-of-bounds buffer read accesses when parsing field and trigger
     names or checking package ownership of conffiles and directories.
     Reported by Joshua Rogers <megamansec@gmail.com>.
   * Add powerpcel support to cputable. Thanks to Jae Junh <jaejunh@embian.com>.
   * Fix OpenPGP Armor Header Line parsing in Dpkg::Control::Hash. We should
     only accept [\r\t ] as trailing whitespace, although RFC4880 does not
     clarify what whitespace really maps to, we should really match the GnuPG
     implementation anyway, as that's what we use to verify the signatures.
     Reported by Jann Horn <jann@thejh.net>. Fixes CVE-2015-0840.
   [ Raphaël Hertzog ]
   * Drop myself from Uploaders.
   [ Updated scripts translations ]
   * Fix typos in German (Helge Kreutzmann)
   * Swedish (Peter Krefting).
   [ Updated man page translations ]
   * Fix typos in German (Helge Kreutzmann)
   * Swedish (Peter Krefting).
 3de1850b4d0d9d961b0ef8ded13fa6cdf7b6e60f 1960 dpkg_1.16.16.dsc
 719559dbcba31624967e244d85f1c16e83ae6462 3804836 dpkg_1.16.16.tar.xz
 cd26dc64894ac425c77bf6fb4f837979bba19a85 701048 libdpkg-dev_1.16.16_amd64.deb
 af5cb382dbe4579c3bd3f2d36771195aa06478fd 2661926 dpkg_1.16.16_amd64.deb
 fd757acd9f23200ec73f67e5cfea0f0c1b50ecb6 1164376 dselect_1.16.16_amd64.deb
 8bb26282909eae2fb6809611cb82d53339cc7a1b 1362150 dpkg-dev_1.16.16_all.deb
 133abfb153a0d623eb54b2af060129744ef8b214 963272 libdpkg-perl_1.16.16_all.deb
 a5564eed3d0107a8020f9ddbd0c86fc45e66239aa25da12e784b171ea11d49bf 1960 dpkg_1.16.16.dsc
 d25045e39aeb1a6e99156e1d4b8c7672bf69b54e5f853336982e62c7a04e8ef2 3804836 dpkg_1.16.16.tar.xz
 d8f54e4191caa7f168148ea4bf2edd29fdda4c6d54456764ca09bfb0faba315c 701048 libdpkg-dev_1.16.16_amd64.deb
 1fbdaa1e798051f7e86f4e71de4f70c88f566dd8e9d25cc8cea6fa84e813f49e 2661926 dpkg_1.16.16_amd64.deb
 422155a70210449141bdb79c87944e4461c7965aa8a5a893236c030185c7c574 1164376 dselect_1.16.16_amd64.deb
 5cc278ad04eedd50503a65dbaedd99237dd5b49a6736b39d478fbba41460902e 1362150 dpkg-dev_1.16.16_all.deb
 d83d1a0dfce9dee200b1b92625b433b61adc1d75d92ec4a4ee19f597e4c7e7ad 963272 libdpkg-perl_1.16.16_all.deb
 e626e497efabc3d1b73fd5a7e6c1f2ff 1960 admin required dpkg_1.16.16.dsc
 88d0e4c98ecb8afe6dee896a2aa9665d 3804836 admin required dpkg_1.16.16.tar.xz
 b4f2ba40806697f3ae59b07234ed9288 701048 libdevel optional libdpkg-dev_1.16.16_amd64.deb
 c23c0927ef326b99136a2ca9493648e5 2661926 admin required dpkg_1.16.16_amd64.deb
 3c350a2202d5d017d16a9f1c04606587 1164376 admin optional dselect_1.16.16_amd64.deb
 33969be64b612674e2e18c3c62ca4364 1362150 utils optional dpkg-dev_1.16.16_all.deb
 23bdcfb587bb2db5d2e9e27a5ad89aca 963272 perl optional libdpkg-perl_1.16.16_all.deb

Version: GnuPG v2


Reply to: