Arbitrary diff application hole in upload processor

This one just prepends a couple of lines to /tmp/i-append-to-you.

Also note that one can upload PPA packages to cocoplum, so anybody can exploit it there too, not just on germanium.

I've raised this with Raphaël Hertzog (upstream dpkg-dev maintainer) on IRC; awaiting a response.

Soyuz will wait for a fix in dpkg.

Here's a preliminary patch that I consider using. Before uploading this I want to check it doesn't cause too many regressions in lenny and sid.

An updated patch also fixing a similar issue this time related to insecure paths in the series file for 3.0 (quilt) source packages. This patch should also apply on version 1.15 (except for changelog stuff).

Thanks! I'm running out of steam for today, but will look at this ASAP ...

Bleh, in my hurry I missed the obvious, the perl regex must be m{/\.\./} and not m{/../}. So the third and hopefully final variant of the patch is attached.

The DSA is forthcoming, it will be public either tomorrow or wednesday.

Thanks, I've looked this over and it looks sane to me. I've asked LaMont to apply it to our production instances.

CVE-2010-0396

This bug was fixed in the package dpkg - 1.15.5.6ubuntu2

---------------
dpkg (1.15.5.6ubuntu2) lucid; urgency=high

  * Backport from upstream:
    - Use FIEMAP when available (on Linux based systems) to sort the .list
      files loading order. With a cold cache it improves up to a 70%.
      Thanks to Morten Hustveit <email address hidden>. LP: #442114
    - Call fsync(2) after writing files on disk, to get the atomicity
      guarantees when doing rename(2). Based on a patch by Jean-Baptiste
      Lallement <email address hidden>.
      Closes: #430958, LP: #512096
  * Security fixes by Raphaël Hertzog, also backported from upstream
    (CVE-2010-0396):
    - Modify dpkg-source to error out when it would apply patches containing
      insecure paths (with "/../") and also error out when it would apply a
      patch through a symlink. Those checks are required as patch will
      happily modify files outside of the target directory and unpacking a
      source package should not be able to have any side-effect outside of
      the target directory. LP: #532445
    - Also error out when the quilt series contains a path with "/../" as
      this can cause patch to create files outside of the source package due
      to the -B .pc/$path option that it gets.
 -- Colin Watson <email address hidden> Thu, 11 Mar 2010 00:34:28 +0000

http://www.ubuntu.com/usn/USN-909-1