-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 3.0 (native) Source: dpkg Binary: libdpkg-dev, dpkg, dpkg-dev, libdpkg-perl, dselect Architecture: any all Version: 1.16.16 Origin: debian Maintainer: Dpkg Developers <[email protected]> Uploaders: Guillem Jover <[email protected]> Homepage: http://wiki.debian.org/Teams/Dpkg Standards-Version: 3.9.3 Vcs-Browser: http://git.debian.org/?p=dpkg/dpkg.git Vcs-Git: git://git.debian.org/git/dpkg/dpkg.git Build-Depends: debhelper (>= 7), pkg-config, flex, gettext (>= 0.18), po4a (>= 0.41), zlib1g-dev (>= 1:1.1.3-19.1), libbz2-dev, liblzma-dev, libselinux1-dev (>= 1.28-4) [linux-any], libncursesw5-dev, libtimedate-perl, libio-string-perl Package-List: dpkg deb admin required dpkg-dev deb utils optional dselect deb admin optional libdpkg-dev deb libdevel optional libdpkg-perl deb perl optional Checksums-Sha1: 719559dbcba31624967e244d85f1c16e83ae6462 3804836 dpkg_1.16.16.tar.xz Checksums-Sha256: d25045e39aeb1a6e99156e1d4b8c7672bf69b54e5f853336982e62c7a04e8ef2 3804836 dpkg_1.16.16.tar.xz Files: 88d0e4c98ecb8afe6dee896a2aa9665d 3804836 dpkg_1.16.16.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVJiLdAAoJELlyvz6krlejtUoP/Rvkjzn0ztzVVZX99pujvf01 +oPw1XkWe/n4g19j74cI1DtTVlRCVvnwaE6sM28ARNGSmnAcFHSSDoKMyy+CzP8e /+sMCga/WqCsocVDTlmS8/qxx/8SzOwPQcMeRt03wAH3xQaYRrKMAd73goBDInOM Jmd13daGInam5FoPE10sdeUCAS2pqJopjmCrW/g3aYBP48dflgeOEyu3G/9YgEub f4QSy/TXHgPv19UcXKzGRMcFNivE/IKZAVscBbL1ffU/aP2G8AO9Dc1CYkV/89fH aAr5oAGRN9IiJBqOmOiEHzxZ72d/uleZE+YsXgYSe45lP7d5LJ28Nkn8NMzvdAJ8 71UTltG3bmKTT2RXCDSwrzueQLzOlIq8SoUC3sEYS6DipLS6nRf6t1EtLmtSp2uh qWYoduSYv+z3SIPlOXCwjbQsspMJOGYf0KVWloDVzqvvgth+sKzul1PlkT4Cu4Cz lTUw9by2On+lK6x4jMqPn8+IWmXaOPNuz1+zEwkU38MjZ3nPo/Q8KaMis19ckKG1 HUiIhQbyCgz4figQtkVFueCFQ9dihhXmuSaMMEBTudHPfqXo8nEFx2heT/IEsO31 ifTcRdQYPJ/8ek/cV39tjlDaDhv6SYsOgd8WfeU8VMULgm61YvTR3+pyN697mZvs JVnBX4DHd6kTrkSdHztl =FjCL -----END PGP SIGNATURE----- Changes: dpkg (1.16.16) wheezy-security; urgency=high [ Guillem Jover ] * Do not leak long tar names on bogus or truncated archives. * Do not leak the filepackages iterator when a directory is used by other packages. * Do not leak color string on «dselect --color». * Fix memory leaks when parsing alternatives. * Fix memory leaks in buffer_copy() on error conditions. * Fix possible out of bounds buffer read access in the error output on bogus ar member sizes. * Fix file triggers/Unincorp descriptor leak on subprocesses. Regression introduced with the initial triggers implementation in dpkg 1.14.17. Closes: #751021 * Fix a descriptor leak on dselect subprocesses when --debug is used. * Do not run qsort() over the scandir() list in libcompat if it is NULL. * Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX. Although this should not have security implications as the buffer is surrounded by two arrays (so those catch accesses even if the stack grows up or down), and we are compiling with -fstack-protector anyway. * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe. Closes: #731530 * Fix off-by-one error in libdpkg command argv size calculation. Based on a patch by Bálint Réczey <[email protected]>. Closes: #760690 * Escape package and architecture names on control file parsing warning, as those get injected into a variable that is used as a format string, and they come from the package fields, which are under user control. Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485 Reported by Joshua Rogers <[email protected]>. * Do not match partial field names in control files. Closes: #769119 Regression introduced in dpkg 1.10. * Fix out-of-bounds buffer read accesses when parsing field and trigger names or checking package ownership of conffiles and directories. Reported by Joshua Rogers <[email protected]>. * Add powerpcel support to cputable. Thanks to Jae Junh <[email protected]>. * Fix OpenPGP Armor Header Line parsing in Dpkg::Control::Hash. We should only accept [\r\t ] as trailing whitespace, although RFC4880 does not clarify what whitespace really maps to, we should really match the GnuPG implementation anyway, as that's what we use to verify the signatures. Reported by Jann Horn <[email protected]>. Fixes CVE-2015-0840. [ Raphaël Hertzog ] * Drop myself from Uploaders. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). [ Updated man page translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). -- Guillem Jover <[email protected]> Thu, 09 Apr 2015 08:45:47 +0200
