Date: Sun, 25 May 2014 11:31:51 +0200 From: Raphael Geissert <geissert@...ian.org> To: Open Source Security <oss-security@...ts.openwall.com> Cc: guillem@...ian.org Subject: CVE request: another path traversal in dpkg-source during unpack Hi, Another path traversal was discovered in dpkg-source, related to the unpacking of source packages with specially-crafted patches. While waiting for the original reporter's PoC/more information, Guillem Jover (dpkg maintainer) independently re-discovered the issue, and a second one. This second issue has now been publicly reported as  to ease the assignment of CVE id(s) given the combination of private and not-very- specific public information. Both issues are independent of the version of the patch tool. While figuring out whether one or two ids should be requested (at least from our POV), it appears that we can say that  is a superset of  - this is based on the minimal fixes needed to fix either vulnerability: the fix for  does not fix , but the fix for  does fix . Could a CVE id be assigned please? CC'ing Guillem for any complimentary information. Thanks in advance.  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746498  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ