Changelog
dpkg (1.15.11) squeeze-security; urgency=high
[ Guillem Jover ]
* Test suite:
- Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
- Add test case for patch disabling hunks; not security sensitive.
* Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
traversal attempts from hostile source packages when unpacking them.
Reported by Javier Serrano Polo <email address hidden> as an unspecified
directory traversal; meanwhile also independently found by me both
#749183 and what was supposed to be #746498, which was later on published
and ended up being just a subset of the other non-reported issue.
Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
-- Guillem Jover <email address hidden> Thu, 05 Jun 2014 22:52:45 +0200