[OE-core] [PATCH 0/2] Dpkg: fixing CVE-2014-0471
wenzong.fan at windriver.com
wenzong.fan at windriver.com
Mon Jun 16 05:20:34 UTC 2014
From: Wenzong Fan <wenzong.fan at windriver.com>
Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting."
The following changes since commit 8e0c54cd0e82ffe120f84f495101cd29e6fd06bf:
bitbake: bb/utils: fix contains_any() (2014-06-12 17:47:59 +0100)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib wenzong/dpkg
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/dpkg
Guillem Jover (2):
Dpkg::Source::Patch: Correctly parse C-style diff filenames
Dpkg::Source::Patch: Outright reject C-style filenames in patches
.../dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch | 49 ++++++++++++
.../dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch | 83 ++++++++++++++++++++
meta/recipes-devtools/dpkg/dpkg_1.17.4.bb | 2 +
3 files changed, 134 insertions(+)
create mode 100644 meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch
create mode 100644 meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch
--
1.7.9.5
More information about the Openembedded-core
mailing list