Bug#763780: apt-get: Insecure temporary changelog handling

To: Michael Vogt <mvo@debian.org>
Cc: 763780@bugs.debian.org
Subject: Bug#763780: apt-get: Insecure temporary changelog handling
From: Guillem Jover <guillem@debian.org>
Date: Wed, 8 Oct 2014 12:52:07 +0200
Message-id: <[🔎] 20141008105207.GC9167@gaara.hadrons.org>
Reply-to: Guillem Jover <guillem@debian.org>, 763780@bugs.debian.org
In-reply-to: <[🔎] 20141008084207.GC8178@bod>
References: <[🔎] 20141002162945.GA14412@gaara.hadrons.org> <[🔎] 20141008084207.GC8178@bod>

Hi!

On Wed, 2014-10-08 at 10:42:07 +0200, Michael Vogt wrote:
> On Thu, Oct 02, 2014 at 06:29:45PM +0200, Guillem Jover wrote:
> > Package: apt
> > Version: 0.8.7
> > Severity: serious
> > Tags: security patch

> > Attached a patch fixing this. This affects all versions starting from
> > the one in squeeze.

> > I'm not sure if this deserves a CVE or perhaps a lower severity?
> [..]
> 
> I uploaded a fix for wheezy now, squeeze is not affected, this feature
> got added in 0.8.11 in debian so we should be safe here.

Oh, indeed, sorry about the wrong version. I was confused by the git
history:

  $ git show a4c404301df135bea81f23b944dc6e1967f9ca85
  $ git describe --tags a4c404301df135bea81f23b944dc6e1967f9ca85
  0.8.6-22-ga4c4043

Thanks,
Guillem

Reply to:

References:
- Bug#763780: apt-get: Insecure temporary changelog handling
  - From: Guillem Jover <guillem@debian.org>
- Bug#763780: apt-get: Insecure temporary changelog handling
  - From: Michael Vogt <mvo@debian.org>

Prev by Date: Processed: notfound 763780 in apt/0.8.7, found 763780 in apt/0.8.11
Next by Date: apt_1.1~exp4_amd64.changes ACCEPTED into experimental, experimental
Previous by thread: Bug#763780: apt-get: Insecure temporary changelog handling
Next by thread: Processing of apt_1.0.9.2_amd64.changes
Index(es):
- Date
- Thread