News for package dpkg

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 3.0 (native)
Source: dpkg
Binary: libdpkg-dev, dpkg, dpkg-dev, libdpkg-perl, dselect
Architecture: any all
Version: 1.16.16
Origin: debian
Maintainer: Dpkg Developers <[email protected]>
Uploaders: Guillem Jover <[email protected]>
Homepage: http://wiki.debian.org/Teams/Dpkg
Standards-Version: 3.9.3
Vcs-Browser: http://git.debian.org/?p=dpkg/dpkg.git
Vcs-Git: git://git.debian.org/git/dpkg/dpkg.git
Build-Depends: debhelper (>= 7), pkg-config, flex, gettext (>= 0.18), po4a (>= 0.41), zlib1g-dev (>= 1:1.1.3-19.1), libbz2-dev, liblzma-dev, libselinux1-dev (>= 1.28-4) [linux-any], libncursesw5-dev, libtimedate-perl, libio-string-perl
Package-List: 
 dpkg deb admin required
 dpkg-dev deb utils optional
 dselect deb admin optional
 libdpkg-dev deb libdevel optional
 libdpkg-perl deb perl optional
Checksums-Sha1: 
 719559dbcba31624967e244d85f1c16e83ae6462 3804836 dpkg_1.16.16.tar.xz
Checksums-Sha256: 
 d25045e39aeb1a6e99156e1d4b8c7672bf69b54e5f853336982e62c7a04e8ef2 3804836 dpkg_1.16.16.tar.xz
Files: 
 88d0e4c98ecb8afe6dee896a2aa9665d 3804836 dpkg_1.16.16.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVJiLdAAoJELlyvz6krlejtUoP/Rvkjzn0ztzVVZX99pujvf01
+oPw1XkWe/n4g19j74cI1DtTVlRCVvnwaE6sM28ARNGSmnAcFHSSDoKMyy+CzP8e
/+sMCga/WqCsocVDTlmS8/qxx/8SzOwPQcMeRt03wAH3xQaYRrKMAd73goBDInOM
Jmd13daGInam5FoPE10sdeUCAS2pqJopjmCrW/g3aYBP48dflgeOEyu3G/9YgEub
f4QSy/TXHgPv19UcXKzGRMcFNivE/IKZAVscBbL1ffU/aP2G8AO9Dc1CYkV/89fH
aAr5oAGRN9IiJBqOmOiEHzxZ72d/uleZE+YsXgYSe45lP7d5LJ28Nkn8NMzvdAJ8
71UTltG3bmKTT2RXCDSwrzueQLzOlIq8SoUC3sEYS6DipLS6nRf6t1EtLmtSp2uh
qWYoduSYv+z3SIPlOXCwjbQsspMJOGYf0KVWloDVzqvvgth+sKzul1PlkT4Cu4Cz
lTUw9by2On+lK6x4jMqPn8+IWmXaOPNuz1+zEwkU38MjZ3nPo/Q8KaMis19ckKG1
HUiIhQbyCgz4figQtkVFueCFQ9dihhXmuSaMMEBTudHPfqXo8nEFx2heT/IEsO31
ifTcRdQYPJ/8ek/cV39tjlDaDhv6SYsOgd8WfeU8VMULgm61YvTR3+pyN697mZvs
JVnBX4DHd6kTrkSdHztl
=FjCL
-----END PGP SIGNATURE-----

Changes:
dpkg (1.16.16) wheezy-security; urgency=high

  [ Guillem Jover ]
  * Do not leak long tar names on bogus or truncated archives.
  * Do not leak the filepackages iterator when a directory is used by other
    packages.
  * Do not leak color string on «dselect --color».
  * Fix memory leaks when parsing alternatives.
  * Fix memory leaks in buffer_copy() on error conditions.
  * Fix possible out of bounds buffer read access in the error output on
    bogus ar member sizes.
  * Fix file triggers/Unincorp descriptor leak on subprocesses. Regression
    introduced with the initial triggers implementation in dpkg 1.14.17.
    Closes: #751021
  * Fix a descriptor leak on dselect subprocesses when --debug is used.
  * Do not run qsort() over the scandir() list in libcompat if it is NULL.
  * Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and
    GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX.
    Although this should not have security implications as the buffer is
    surrounded by two arrays (so those catch accesses even if the stack
    grows up or down), and we are compiling with -fstack-protector anyway.
  * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that
    prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe.
    Closes: #731530
  * Fix off-by-one error in libdpkg command argv size calculation.
    Based on a patch by Bálint Réczey <[email protected]>. Closes: #760690
  * Escape package and architecture names on control file parsing warning,
    as those get injected into a variable that is used as a format string,
    and they come from the package fields, which are under user control.
    Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485
    Reported by Joshua Rogers <[email protected]>.
  * Do not match partial field names in control files. Closes: #769119
    Regression introduced in dpkg 1.10.
  * Fix out-of-bounds buffer read accesses when parsing field and trigger
    names or checking package ownership of conffiles and directories.
    Reported by Joshua Rogers <[email protected]>.
  * Add powerpcel support to cputable. Thanks to Jae Junh <[email protected]>.
  * Fix OpenPGP Armor Header Line parsing in Dpkg::Control::Hash. We should
    only accept [\r\t ] as trailing whitespace, although RFC4880 does not
    clarify what whitespace really maps to, we should really match the GnuPG
    implementation anyway, as that's what we use to verify the signatures.
    Reported by Jann Horn <[email protected]>. Fixes CVE-2015-0840.

  [ Raphaël Hertzog ]
  * Drop myself from Uploaders.

  [ Updated scripts translations ]
  * Fix typos in German (Helge Kreutzmann)
  * Swedish (Peter Krefting).

  [ Updated man page translations ]
  * Fix typos in German (Helge Kreutzmann)
  * Swedish (Peter Krefting).

 -- Guillem Jover <[email protected]>  Thu, 09 Apr 2015 08:45:47 +0200