fbe0c92...
by
Raphael Geissert
on 2010-01-26
Finalize changes for 1.23.28+etch1
* Non-maintainer upload by the Security Team
* checks/ {control- files,files, menus}:
+ [RG] Fix CVE-2009-4014: format string vulnerabilities
* checks/ {debhelper, files,infofiles ,init.d, menu-format, po-debconf, scripts} :
+ [RG] Fix CVE-2009-4015: arbitrary command execution
* checks/fields:
+ [RG] Fix CVE-2009-4013: missing control files sanitation
* collection/ source- control- file:
+ [RG] Fix CVE-2009-4013: missing control files sanitation
* frontend/lintian:
+ [RG] Fix CVE-2009-4013: missing control files sanitation
+ [RG] Fix CVE-2009-4014: format string vulnerabilities
* lib/Util.pm:
+ [RG] Fix CVE-2009-4015: arbitrary command execution
* unpack/ unpack- {bin,src} pkg-l1:
+ [RG] Fix CVE-2009-4013: missing control files sanitation
50c6950...
by
Raphael Geissert
on 2010-01-26
Fix CVE-2009-4015, arbitrary command execution
File names were not properly escaped when passing them as arguments to
certain commands, allowing the execution of other commands as pipes or
as a set of shell commands.
b79a8d1...
by
Raphael Geissert
on 2010-01-26
Fix CVE-2009-4014, format string vulnerabilities
Multiple check scripts and the lintian frontend were using
user-provided input as part of the sprintf/printf format string.
0e60e80...
by
Raphael Geissert
on 2010-01-26
Fix CVE-2009-4013, missing control files sanitation
Control field names and values were not sanitised before using them
in certain operations that could lead to directory traversals.
An attacker could exploit these vulnerabilities to overwrite arbitrary
files.
43f01b2...
by
Russ Allbery
on 2007-03-10
* collection/ objdump- info:
+ [RA] Remove unsafe temporary file creation in left-over debugging
code added accidentally when fixing #399456. Thanks, Josh
Triplett. (Closes: #414237)
c62b8bf...
by
Russ Allbery
on 2007-03-10
Create a new etch branch for a security fix.
465ae6f...
by
Russ Allbery
on 2006-12-03
Tag 1.23.27 release.
8411f74...
by
Russ Allbery
on 2006-12-03
Finalize changes for 1.23.27.
585b806...
by
Russ Allbery
on 2006-12-03
* lib/Lab.pm:
+ [RA] Preserve the old package lists when setting up a static lab so
that the unpack programs can build a list of changed packages and
incremental mode works. Thanks, Bill Allmobert. (Closes: #400342)
8317287...
by
Russ Allbery
on 2006-12-03
* unpack/ list-udebpkg:
+ [RA] Handle compressed udeb Packages files. Thanks, Bill
Allombert. (Closes: #400338)