Changelog
dpkg (1.14.29) stable-security; urgency=high
* Modify dpkg-source to error out when it would apply patches containing
insecure paths (with "/../") and also error out when it would apply a
patch through a symlink. Those checks are required as patch will happily
modify files outside of the target directory and unpacking a source package
should not be able to have any side-effect outside of the target
directory. Fixes CVE-2010-0396.
* Also error out when the quilt series contains a path with "/../" as this
can cause patch to create files outside of the source package due
to the -B .pc/$path option that it gets.
-- Raphael Hertzog <email address hidden> Fri, 05 Mar 2010 22:25:05 +0100
