Bug 926749 - (CVE-2015-0840) VUL-1: CVE-2015-0840: dpkg: source package integrity verification bypass
(CVE-2015-0840)
VUL-1: CVE-2015-0840: dpkg: source package integrity verification bypass
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/115653/
CVSSv2:RedHat:CVE-2015-0840:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-10 12:01 UTC by Andreas Stieger
Modified: 2020-09-15 19:01 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
upstream patch on 1.17.x extracted from git (5.69 KB, patch)
2015-04-10 12:18 UTC, Andreas Stieger
Details | Diff
upstream patch on 1.16.x extracted from git (6.17 KB, patch)
2015-04-10 12:19 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-10 12:01:40 UTC
https://www.debian.org/security/2015/dsa-3217

Jann Horn discovered that the source package integrity verification in dpkg-source can be bypassed via a specially crafted Debian source control file (.dsc). Note that this flaw only affects extraction of local Debian source packages via dpkg-source but not the installation of packages from the Debian archive.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0840
http://www.debian.org/security/2015/dsa-3217
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0840.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0840
Comment 1 Andreas Stieger 2015-04-10 12:18:37 UTC
Created attachment 630684 [details]
upstream patch on 1.17.x extracted from git

commit b4ccfe4982161b8beb44f1d0c98f791c4f238edd
Author: Guillem Jover <guillem@debian.org>
Date:   Thu Mar 19 22:51:46 2015 +0100

    Dpkg::Control::HashCore: Fix OpenPGP Armor Header Line parsing
    
    We should only accept [\r\t ] as trailing whitespace, although RFC4880
    does not clarify what whitespace really maps to, we should really match
    the GnuPG implementation anyway, as that is what we use to verify the
    signatures.
    
    Fixes: CVE-2015-0840
    Reported-by: Jann Horn <jann@thejh.net>
Comment 2 Andreas Stieger 2015-04-10 12:19:44 UTC
Created attachment 630685 [details]
upstream patch on 1.16.x extracted from git

commit c49d104601b673c11c981dc9b6d8247e6da64edd
Author: Guillem Jover <guillem@debian.org>
Date:   Thu Mar 19 22:51:46 2015 +0100

    Dpkg::Control::HashCore: Fix OpenPGP Armor Header Line parsing
    
    We should only accept [\r\t ] as trailing whitespace, although RFC4880
    does not clarify what whitespace really maps to, we should really match
    the GnuPG implementation anyway, as that is what we use to verify the
    signatures.
    
    Fixes: CVE-2015-0840
    Reported-by: Jann Horn <jann@thejh.net>
Comment 3 Swamp Workflow Management 2015-04-10 22:00:23 UTC
bugbot adjusting priority
Comment 4 Tomáš Chvátal 2015-06-04 11:33:15 UTC
openSUSE: Fixed all versions now.

SLE: only SLE12 affected, in older we provide just update-alternatives, so no dpkg around.
Comment 7 Bernhard Wiedemann 2015-06-04 12:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (926749) was mentioned in
https://build.opensuse.org/request/show/310287 Factory / dpkg
https://build.opensuse.org/request/show/310292 13.2+13.1 / update-alternatives+dpkg
Comment 8 Bernhard Wiedemann 2015-06-05 08:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (926749) was mentioned in
https://build.opensuse.org/request/show/310428 Factory / dpkg
Comment 9 Bernhard Wiedemann 2015-06-05 14:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (926749) was mentioned in
https://build.opensuse.org/request/show/310535 Factory / dpkg
Comment 10 Swamp Workflow Management 2015-06-12 19:05:49 UTC
openSUSE-SU-2015:1058-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 926749
CVE References: CVE-2015-0840
Sources used:
openSUSE 13.2 (src):    dpkg-1.16.16-8.3.1, update-alternatives-1.16.16-8.3.1
openSUSE 13.1 (src):    dpkg-1.16.16-3.3.1, update-alternatives-1.16.16-3.3.1
Comment 17 Johannes Segitz 2017-08-04 12:14:46 UTC
fixed