Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id 7A3D87ACD9 for ; Wed, 30 Dec 2015 15:13:56 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id DB15D85F5E; Wed, 30 Dec 2015 15:13:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 5A8BD85F15 for ; Wed, 30 Dec 2015 15:13:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id ol9kJhIZMFCa for ; Wed, 30 Dec 2015 15:13:40 +0000 (UTC) Received: from cvs.NetBSD.org (cvs.NetBSD.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 57F8585EB4 for ; Wed, 30 Dec 2015 15:13:40 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id AB9C8FC71; Wed, 30 Dec 2015 12:47:57 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Date: Wed, 30 Dec 2015 12:47:57 +0000 From: "Benny Siegert" Subject: CVS commit: pkgsrc/misc/dpkg To: pkgsrc-changes@NetBSD.org Reply-To: bsiegert@netbsd.org X-Mailer: log_accum Message-Id: <20151230124757.AB9C8FC71@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: bsiegert Date: Wed Dec 30 12:47:57 UTC 2015 Modified Files: pkgsrc/misc/dpkg: Makefile PLIST distinfo Log Message: Update dpkg to 1.16.17. This fixes several security issues. dpkg (1.16.17) wheezy-security; urgency=high [ Guillem Jover ] * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic. Reported by Jacek Wielemborek . Closes: #798324 * Fix an off-by-one write access in dpkg-deb when parsing the old format .deb control member size. Thanks to Hanno Böck . Fixes CVE-2015-0860. * Fix an off-by-one read access in dpkg-deb when parsing ar member names. Thanks to Hanno Böck . [ Updated programs translations ] * Catalan (Jordi Mallach). [ Updated man page translations ] * Fix incorrect translation in German (Helge Kreutzmann) -- Guillem Jover Wed, 25 Nov 2015 22:34:58 +0100 dpkg (1.16.16) wheezy-security; urgency=high [ Guillem Jover ] * Do not leak long tar names on bogus or truncated archives. * Do not leak the filepackages iterator when a directory is used by other packages. * Do not leak color string on «dselect --color». * Fix memory leaks when parsing alternatives. * Fix memory leaks in buffer_copy() on error conditions. * Fix possible out of bounds buffer read access in the error output on bogus ar member sizes. * Fix file triggers/Unincorp descriptor leak on subprocesses. Regression introduced with the initial triggers implementation in dpkg 1.14.17. Closes: #751021 * Fix a descriptor leak on dselect subprocesses when --debug is used. * Do not run qsort() over the scandir() list in libcompat if it is NULL. * Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX. Although this should not have security implications as the buffer is surrounded by two arrays (so those catch accesses even if the stack grows up or down), and we are compiling with -fstack-protector anyway. * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe. Closes: #731530 * Fix off-by-one error in libdpkg command argv size calculation. Based on a patch by Bálint Réczey . Closes: #760690 * Escape package and architecture names on control file parsing warning, as those get injected into a variable that is used as a format string, and they come from the package fields, which are under user control. Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485 Reported by Joshua Rogers . * Do not match partial field names in control files. Closes: #769119 Regression introduced in dpkg 1.10. * Fix out-of-bounds buffer read accesses when parsing field and trigger names or checking package ownership of conffiles and directories. Reported by Joshua Rogers . * Add powerpcel support to cputable. Thanks to Jae Junh . * Fix OpenPGP Armor Header Line parsing in Dpkg::Control::Hash. We should only accept [\r\t ] as trailing whitespace, although RFC4880 does not clarify what whitespace really maps to, we should really match the GnuPG implementation anyway, as that's what we use to verify the signatures. Reported by Jann Horn . Fixes CVE-2015-0840. [ Raphaël Hertzog ] * Drop myself from Uploaders. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). [ Updated man page translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). -- Guillem Jover Thu, 09 Apr 2015 08:45:47 +0200 dpkg (1.16.15) wheezy-security; urgency=high [ Guillem Jover ] * Test suite: - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127. - Add test case for patch disabling hunks; not security sensitive. * Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory traversal attempts from hostile source packages when unpacking them. Reported by Javier Serrano Polo as an unspecified directory traversal; meanwhile also independently found by me both #749183 and what was supposed to be #746498, which was later on published and ended up being just a subset of the other non-reported issue. Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183 [ Updated programs translations ] * Merge translated strings from master. [ Updated scripts translations ] * German (Helge Kreutzmann). [ Updated man page translations ] * Merge translated strings from master. * Unfuzzy or update trivial translations (Guillem Jover). -- Guillem Jover Thu, 05 Jun 2014 22:24:36 +0200 dpkg (1.16.14) wheezy-security; urgency=high [ Guillem Jover ] * Do not allow patch files with C-style encoded filenames. Closes: #746306 Fixes CVE-2014-3127 and unconditionally fixes CVE-2014-0471. Reported by Javier Serrano Polo . [ Updated scripts translations ] * German (Helge Kreutzmann). [ Updated man page translations ] * German (Helge Kreutzmann). -- Guillem Jover Wed, 30 Apr 2014 08:14:16 +0200 dpkg (1.16.13) wheezy-security; urgency=high [ Guillem Jover ] * Do not NULL-terminate the list in the compat scandir(), as this might cause a segfault in case the function returns 0 entries. * Do not generate perl warnings on undef versions in Dpkg::Deps::deps_compare(). See: #737731 * Do not overwrite triplet mappings with latter matches in Dpkg::Arch. Required for the new mipsn32(el) and mips64(el) architecture entries. * Add support for mipsn32(el) and mips64(el) to arch tables. Thanks to YunQiang Su . Closes: #685096, #707323 * Add ppc64el support to cputable. Closes: #718945 Thanks to Jeff Bailey . * Add OpenRISC or1k support to cputable. Thanks to Christian Svensson . Closes: #736717 * Clarify that dpkg --set-selections needs an up-to-date available db, by documenting it on the dpkg(1) man page, and warning whenever dpkg finds unknown packages while setting the selections. Closes: #703092 * Improve documentation on how to update the available database before setting package selections. Suggested by Klaus Ita . * Recognize «start-stop-daemon -C» as documented. Closes: #719746 Reported by Brian S. Julin . * Correctly parse C-style diff filenames in Dpkg::Source::Patch, to avoid directory traversal attempts from hostile source packages when unpacking them. Reported by Jakub Wilk . Fixes CVE-2014-0471. [ Updated scripts translations ] * Fix a typo in the German scripts translation. [ Updated man page translations ] * Fix and unify translation in German man pages. -- Guillem Jover Fri, 25 Apr 2014 04:38:33 +0200 dpkg (1.16.12) stable; urgency=low * Fix value caching in Dpkg::Arch by not shadowing the variables. Closes: #724949 -- Guillem Jover Mon, 30 Sep 2013 16:52:37 +0200 dpkg (1.16.11) stable; urgency=low [ Raphaël Hertzog ] * Fix usage of non-existent _() function in multiple places of the Perl code. Thanks to Lincoln Myers for the patch. Closes: #708607 [ Guillem Jover ] * Fix chmod() arguments order in Dpkg::Source::Quilt. Closes: #710265 Thanks to Pablo Oliveira . * Only ignore older packages if the existing version is informative. This allows any program using libdpkg to parse the available file to see again packages with versions lesser than 0-0 (like 0~0-0). Closes: #676664 * Fix use after free in dpkg_arch_load_list() on libdpkg. Reported by Pedro Ribeiro . [ Updated programs translations ] * Vietnamese (Trần Ngọc Quân). Closes: #715334 [ Added man page translations ] * Italian (Beatrice Torracca). Closes: #711647 [ Updated man page translations ] * Japanese (TAKAHASHI Motonobu). Closes: #704240 -- Guillem Jover Mon, 23 Sep 2013 16:51:18 +0200 To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.34 pkgsrc/misc/dpkg/Makefile cvs rdiff -u -r1.8 -r1.9 pkgsrc/misc/dpkg/PLIST pkgsrc/misc/dpkg/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.