Bugzilla – Bug 926749
VUL-1: CVE-2015-0840: dpkg: source package integrity verification bypass
Last modified: 2020-09-15 19:01:13 UTC
https://www.debian.org/security/2015/dsa-3217 Jann Horn discovered that the source package integrity verification in dpkg-source can be bypassed via a specially crafted Debian source control file (.dsc). Note that this flaw only affects extraction of local Debian source packages via dpkg-source but not the installation of packages from the Debian archive. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0840 http://www.debian.org/security/2015/dsa-3217 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0840.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0840
Created attachment 630684 [details] upstream patch on 1.17.x extracted from git commit b4ccfe4982161b8beb44f1d0c98f791c4f238edd Author: Guillem Jover <guillem@debian.org> Date: Thu Mar 19 22:51:46 2015 +0100 Dpkg::Control::HashCore: Fix OpenPGP Armor Header Line parsing We should only accept [\r\t ] as trailing whitespace, although RFC4880 does not clarify what whitespace really maps to, we should really match the GnuPG implementation anyway, as that is what we use to verify the signatures. Fixes: CVE-2015-0840 Reported-by: Jann Horn <jann@thejh.net>
Created attachment 630685 [details] upstream patch on 1.16.x extracted from git commit c49d104601b673c11c981dc9b6d8247e6da64edd Author: Guillem Jover <guillem@debian.org> Date: Thu Mar 19 22:51:46 2015 +0100 Dpkg::Control::HashCore: Fix OpenPGP Armor Header Line parsing We should only accept [\r\t ] as trailing whitespace, although RFC4880 does not clarify what whitespace really maps to, we should really match the GnuPG implementation anyway, as that is what we use to verify the signatures. Fixes: CVE-2015-0840 Reported-by: Jann Horn <jann@thejh.net>
bugbot adjusting priority
openSUSE: Fixed all versions now. SLE: only SLE12 affected, in older we provide just update-alternatives, so no dpkg around.
This is an autogenerated message for OBS integration: This bug (926749) was mentioned in https://build.opensuse.org/request/show/310287 Factory / dpkg https://build.opensuse.org/request/show/310292 13.2+13.1 / update-alternatives+dpkg
This is an autogenerated message for OBS integration: This bug (926749) was mentioned in https://build.opensuse.org/request/show/310428 Factory / dpkg
This is an autogenerated message for OBS integration: This bug (926749) was mentioned in https://build.opensuse.org/request/show/310535 Factory / dpkg
openSUSE-SU-2015:1058-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 926749 CVE References: CVE-2015-0840 Sources used: openSUSE 13.2 (src): dpkg-1.16.16-8.3.1, update-alternatives-1.16.16-8.3.1 openSUSE 13.1 (src): dpkg-1.16.16-3.3.1, update-alternatives-1.16.16-3.3.1
fixed