diff -Nru dpkg-1.17.5ubuntu5/debian/changelog dpkg-1.17.5ubuntu5.6/debian/changelog --- dpkg-1.17.5ubuntu5/debian/changelog 2014-03-07 10:48:35.000000000 +0000 +++ dpkg-1.17.5ubuntu5.6/debian/changelog 2016-04-25 18:52:44.000000000 +0000 @@ -1,3 +1,64 @@ +dpkg (1.17.5ubuntu5.6) trusty; urgency=medium + + * dpkg-maintscript-helper: s/exit/return/ in subshells (LP: #1574285) + + -- Adam Conrad Mon, 25 Apr 2016 12:44:01 -0600 + +dpkg (1.17.5ubuntu5.5) trusty-security; urgency=medium + + * SECURITY UPDATE: multiple security issues + - dpkg-deb/extract.c: Fix off-by-one write access on versionbuf + variable. + - dpkg-deb/extract.c: Fix off-by-one write access on ctrllenbuf + variable. (CVE-2015-0860) + - lib/dpkg/ar.c: Fix an off-by-one read access in ar member name + variable. + - Thanks to Guillem Jover and Hanno Böck for the patches! + + -- Marc Deslauriers Thu, 26 Nov 2015 07:57:34 -0500 + +dpkg (1.17.5ubuntu5.4) trusty-security; urgency=medium + + * SECURITY UPDATE: OpenPGP Armor Header Line parsing issue + - scripts/Dpkg/Control/HashCore.pm: adjust whitespace parsing. + - scripts/Makefile.*, scripts/t/700_Dpkg_Control.t, + scripts/t/700_Dpkg_Control/bogus-armor-formfeed.dsc: added tests. + - Patch thanks to Guillem Jover + - CVE-2015-0840 + + -- Marc Deslauriers Thu, 09 Apr 2015 08:41:39 -0400 + +dpkg (1.17.5ubuntu5.3) trusty-security; urgency=medium + + * SECURITY UPDATE: arbitrary file modification via dpkg-source + - scripts/Dpkg/Source/Patch.pm: Use a better regex for patch header + parsing + - 5348cbc981a65c3c9b05bb4d13553bda930c2d78 + - CVE-2014-3864 + - CVE-2014-3865 + + -- Marc Deslauriers Mon, 09 Jun 2014 12:34:57 -0400 + +dpkg (1.17.5ubuntu5.2) trusty-security; urgency=medium + + * SECURITY UPDATE: directory traversal in dpkg-source + - scripts/Dpkg/Source/Patch.pm: outright reject C-style filenames in + patches + - a12eb58959d0a10584a428f4a3103a49204c410f + - CVE-2014-0471 + + -- Marc Deslauriers Thu, 01 May 2014 07:59:19 -0400 + +dpkg (1.17.5ubuntu5.1) trusty-security; urgency=medium + + * SECURITY UPDATE: directory traversal in dpkg-source + - scripts/Dpkg/Source/Patch.pm: correctly parse C-style diff + filenames. + - Patch thanks to Guillem Jover + - CVE-2014-0471 + + -- Marc Deslauriers Wed, 23 Apr 2014 19:46:35 -0400 + dpkg (1.17.5ubuntu5) trusty; urgency=medium * Allow -fstack-protector on arm64 now that GCC and glibc support it. diff -Nru dpkg-1.17.5ubuntu5/dpkg-deb/extract.c dpkg-1.17.5ubuntu5.6/dpkg-deb/extract.c --- dpkg-1.17.5ubuntu5/dpkg-deb/extract.c 2013-12-10 06:15:02.000000000 +0000 +++ dpkg-1.17.5ubuntu5.6/dpkg-deb/extract.c 2015-11-26 12:57:29.000000000 +0000 @@ -130,7 +130,7 @@ if (fstat(arfd, &stab)) ohshite(_("failed to fstat archive")); - r = read_line(arfd, versionbuf, strlen(DPKG_AR_MAGIC), sizeof(versionbuf)); + r = read_line(arfd, versionbuf, strlen(DPKG_AR_MAGIC), sizeof(versionbuf) - 1); if (r < 0) read_fail(r, debar, _("archive magic version number")); @@ -236,7 +236,7 @@ if (errstr) ohshit(_("archive has invalid format version: %s"), errstr); - r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf)); + r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf) - 1); if (r < 0) read_fail(r, debar, _("archive control member size")); if (sscanf(ctrllenbuf, "%jd%c%d", &ctrllennum, &nlc, &dummy) != 2 || diff -Nru dpkg-1.17.5ubuntu5/lib/dpkg/ar.c dpkg-1.17.5ubuntu5.6/lib/dpkg/ar.c --- dpkg-1.17.5ubuntu5/lib/dpkg/ar.c 2013-12-10 06:14:22.000000000 +0000 +++ dpkg-1.17.5ubuntu5.6/lib/dpkg/ar.c 2015-11-26 12:57:29.000000000 +0000 @@ -45,7 +45,7 @@ name[i] = '\0'; /* Remove optional slash terminator (on GNU-style archives). */ - if (name[i] == '/') + if (i >= 0 && name[i] == '/') name[i] = '\0'; } diff -Nru dpkg-1.17.5ubuntu5/scripts/Dpkg/Control/HashCore.pm dpkg-1.17.5ubuntu5.6/scripts/Dpkg/Control/HashCore.pm --- dpkg-1.17.5ubuntu5/scripts/Dpkg/Control/HashCore.pm 2013-12-10 06:15:02.000000000 +0000 +++ dpkg-1.17.5ubuntu5.6/scripts/Dpkg/Control/HashCore.pm 2015-04-09 12:47:46.000000000 +0000 @@ -188,8 +188,8 @@ my $expect_pgp_sig = 0; while (<$fh>) { - s/\s*\n$//; - next if (m/^$/ and $paraborder); + chomp; + next if m/^\s*$/ and $paraborder; next if (m/^#/); $paraborder = 0; if (m/^(\S+?)\s*:\s*(.*)$/) { @@ -197,13 +197,15 @@ if ($1 =~ m/^-/) { $self->parse_error($desc, _g('field cannot start with a hyphen')); } - if (exists $self->{$1}) { + my ($name, $value) = ($1, $2); + if (exists $self->{$name}) { unless ($$self->{allow_duplicate}) { - $self->parse_error($desc, _g('duplicate field %s found'), $1); + $self->parse_error($desc, _g('duplicate field %s found'), $name); } } - $self->{$1} = $2; - $cf = $1; + $value =~ s/\s*$//; + $self->{$name} = $value; + $cf = $name; } elsif (m/^\s(\s*\S.*)$/) { my $line = $1; unless (defined($cf)) { @@ -212,8 +214,9 @@ if ($line =~ /^\.+$/) { $line = substr $line, 1; } + $line =~ s/\s*$//; $self->{$cf} .= "\n$line"; - } elsif (m/^-----BEGIN PGP SIGNED MESSAGE-----$/) { + } elsif (m/^-----BEGIN PGP SIGNED MESSAGE-----[\r\t ]*$/) { $expect_pgp_sig = 1; if ($$self->{allow_pgp} and not $parabody) { # Skip PGP headers @@ -223,7 +226,8 @@ } else { $self->parse_error($desc, _g('PGP signature not allowed here')); } - } elsif (m/^$/ || ($expect_pgp_sig && m/^-----BEGIN PGP SIGNATURE-----$/)) { + } elsif (m/^\s*$/ || + ($expect_pgp_sig && m/^-----BEGIN PGP SIGNATURE-----[\r\t ]*$/)) { if ($expect_pgp_sig) { # Skip empty lines $_ = <$fh> while defined($_) && $_ =~ /^\s*$/; @@ -231,15 +235,15 @@ $self->parse_error($desc, _g('expected PGP signature, ' . 'found EOF after blank line')); } - s/\s*\n$//; - unless (m/^-----BEGIN PGP SIGNATURE-----$/) { + chomp; + unless (m/^-----BEGIN PGP SIGNATURE-----[\r\t ]*$/) { $self->parse_error($desc, _g('expected PGP signature, ' . "found something else \`%s'"), $_); } # Skip PGP signature while (<$fh>) { - s/\s*\n$//; - last if m/^-----END PGP SIGNATURE-----$/; + chomp; + last if m/^-----END PGP SIGNATURE-----[\r\t ]*$/; } unless (defined($_)) { $self->parse_error($desc, _g('unfinished PGP signature')); diff -Nru dpkg-1.17.5ubuntu5/scripts/Dpkg/Source/Patch.pm dpkg-1.17.5ubuntu5.6/scripts/Dpkg/Source/Patch.pm --- dpkg-1.17.5ubuntu5/scripts/Dpkg/Source/Patch.pm 2013-12-10 06:15:02.000000000 +0000 +++ dpkg-1.17.5ubuntu5.6/scripts/Dpkg/Source/Patch.pm 2014-06-09 16:34:53.000000000 +0000 @@ -330,17 +330,6 @@ return $line; } -# Strip timestamp -sub _strip_ts { - my $header = shift; - - # Tab is the official separator, it's always used when - # filename contain spaces. Try it first, otherwise strip on space - # if there's no tab - $header =~ s/\s.*// unless ($header =~ s/\t.*//); - return $header; -} - sub _intuit_file_patched { my ($old, $new) = @_; @@ -375,6 +364,26 @@ return $old; } +# Fetch the header filename ignoring the optional timestamp +sub _fetch_filename { + my ($diff, $header) = @_; + + # Strip any leading spaces. + $header =~ s/^\s+//; + + # Is it a C-style string? + if ($header =~ m/^"/) { + error(_g('diff %s patches file with C-style encoded filename'), $diff); + } else { + # Tab is the official separator, it's always used when + # filename contain spaces. Try it first, otherwise strip on space + # if there's no tab + $header =~ s/\s.*// unless $header =~ s/\t.*//; + } + + return $header; +} + # check diff for sanity, find directories to create as a side effect sub analyze { my ($self, $destdir, %opts) = @_; @@ -394,7 +403,7 @@ my (%path, %fn); # skip comments leading up to patch (if any) while (1) { - if (/^--- /) { + if (/^(?:--- |\+\+\+ |@@ -)/) { last; } else { $patch_header .= "$_\n"; @@ -406,7 +415,7 @@ unless(s/^--- //) { error(_g("expected ^--- in line %d of diff `%s'"), $., $diff); } - $path{old} = $_ = _strip_ts($_); + $path{old} = $_ = _fetch_filename($diff, $_); $fn{old} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/}; if (/\.dpkg-orig$/) { error(_g("diff `%s' patches file with name ending .dpkg-orig"), $diff); @@ -418,7 +427,7 @@ unless (s/^\+\+\+ //) { error(_g("line after --- isn't as expected in diff `%s' (line %d)"), $diff, $.); } - $path{new} = $_ = _strip_ts($_); + $path{new} = $_ = _fetch_filename($diff, $_); $fn{new} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/}; unless (defined $fn{old} or defined $fn{new}) { diff -Nru dpkg-1.17.5ubuntu5/scripts/dpkg-maintscript-helper.sh dpkg-1.17.5ubuntu5.6/scripts/dpkg-maintscript-helper.sh --- dpkg-1.17.5ubuntu5/scripts/dpkg-maintscript-helper.sh 2013-12-12 07:00:28.000000000 +0000 +++ dpkg-1.17.5ubuntu5.6/scripts/dpkg-maintscript-helper.sh 2016-04-25 18:47:45.000000000 +0000 @@ -396,9 +396,9 @@ package="$1" file="$2" if ! dpkg-query -L "$package" | grep -q -x "$file"; then - return 1 + exit 1 fi - return 0 + exit 0 ' check-files-ownership "$PACKAGE" || \ error "directory '$PATHNAME' contains files not owned by" \ "package $PACKAGE, cannot switch to symlink" diff -Nru dpkg-1.17.5ubuntu5/scripts/Makefile.am dpkg-1.17.5ubuntu5.6/scripts/Makefile.am --- dpkg-1.17.5ubuntu5/scripts/Makefile.am 2013-12-09 14:11:20.000000000 +0000 +++ dpkg-1.17.5ubuntu5.6/scripts/Makefile.am 2015-04-09 12:43:19.000000000 +0000 @@ -236,6 +236,7 @@ t/700_Dpkg_Control/control-1 \ t/700_Dpkg_Control/bogus-unsigned.dsc \ t/700_Dpkg_Control/bogus-armor-double.dsc \ + t/700_Dpkg_Control/bogus-armor-formfeed.dsc \ t/700_Dpkg_Control/bogus-armor-no-sig.dsc \ t/700_Dpkg_Control/bogus-armor-trail.dsc \ t/700_Dpkg_Control/bogus-armor-inline.dsc \ diff -Nru dpkg-1.17.5ubuntu5/scripts/Makefile.in dpkg-1.17.5ubuntu5.6/scripts/Makefile.in --- dpkg-1.17.5ubuntu5/scripts/Makefile.in 2013-12-12 07:46:32.000000000 +0000 +++ dpkg-1.17.5ubuntu5.6/scripts/Makefile.in 2015-04-09 13:14:03.000000000 +0000 @@ -555,6 +555,7 @@ t/700_Dpkg_Control/control-1 \ t/700_Dpkg_Control/bogus-unsigned.dsc \ t/700_Dpkg_Control/bogus-armor-double.dsc \ + t/700_Dpkg_Control/bogus-armor-formfeed.dsc \ t/700_Dpkg_Control/bogus-armor-no-sig.dsc \ t/700_Dpkg_Control/bogus-armor-trail.dsc \ t/700_Dpkg_Control/bogus-armor-inline.dsc \ diff -Nru dpkg-1.17.5ubuntu5/scripts/t/700_Dpkg_Control/bogus-armor-formfeed.dsc dpkg-1.17.5ubuntu5.6/scripts/t/700_Dpkg_Control/bogus-armor-formfeed.dsc --- dpkg-1.17.5ubuntu5/scripts/t/700_Dpkg_Control/bogus-armor-formfeed.dsc 1970-01-01 00:00:00.000000000 +0000 +++ dpkg-1.17.5ubuntu5.6/scripts/t/700_Dpkg_Control/bogus-armor-formfeed.dsc 2015-04-09 12:42:24.000000000 +0000 @@ -0,0 +1,19 @@ +-----BEGIN PGP SIGNED MESSAGE----- + +Source: fail + +-----BEGIN PGP SIGNATURE----- +Version: vim v7.3.547 (GNU/Linux) + +Fake signature here. +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +Source: pass + +-----BEGIN PGP SIGNATURE +Version: GnuPG v1.4.12 (GNU/Linux) + +Valid signature here. +-----END PGP SIGNATURE----- diff -Nru dpkg-1.17.5ubuntu5/scripts/t/700_Dpkg_Control.t dpkg-1.17.5ubuntu5.6/scripts/t/700_Dpkg_Control.t --- dpkg-1.17.5ubuntu5/scripts/t/700_Dpkg_Control.t 2013-12-10 06:14:22.000000000 +0000 +++ dpkg-1.17.5ubuntu5.6/scripts/t/700_Dpkg_Control.t 2015-04-09 12:43:28.000000000 +0000 @@ -16,7 +16,7 @@ use strict; use warnings; -use Test::More tests => 22; +use Test::More tests => 23; use IO::String; BEGIN { @@ -118,6 +118,9 @@ $dsc = parse_dsc("$datadir/bogus-armor-inline.dsc"); is($dsc, undef, 'Signed .dsc w/ bogus OpenPGP inline armor'); +$dsc = parse_dsc("$datadir/bogus-armor-formfeed.dsc"); +is($dsc, undef, 'Signed .dsc w/ bogus OpenPGP armor line'); + $dsc = parse_dsc("$datadir/bogus-armor-double.dsc"); ok(defined $dsc, 'Signed .dsc w/ two OpenPGP armor signatures'); is($dsc->{Source}, 'pass', 'Signed spaced .dsc package name');