Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:dpkg User: [email protected] Usertags: pu
Hi!
[ Reason ]
This oldstable update includes several changes that where part of
previous stable updates (1.22.22), pre-approval unblocks during the
freeze (1.22.21), or fixes from earlier development releases that have
been in use for a long time now (1.22.0, 1.22.1, 1.22.4).
The update includes:
- Two CVE fixes for DoS issues.
- Fixes for a crash and a buffer overrun.
- Fix for a memory leak.
- Fix for uninitialized variable use.
- Fix for Rules-Requires-Root values handling, to conform to spec.
- Translation updates.
For the CVEs the Security Team didn't deem these important enough, and
considered that it would be better to handle them via a stable update.
[ Impact ]
The security issues are minor (that's why they are not being handled
via the security team), but they are covered by dpkg-deb security
guarantees, and can be used for DoS scenarios.
The crash impacts a valid use of dpkg-trigger.
The tar long GNU names and links fix makes the code robust against
apparently all non GNU implementations representation of the format,
or bogus/malicious artifacts. GNU tar handles correctly both NUL
and non-NUL terminated archives.
The threads_max uninitialized variable use can lead to unexpected
results, given that the variable can contain unknown garbage.
The Rules-Requires-Root changes fix some uninitialized variable Perl
warnings (which the user cannot do anything about and are confusing),
makes the code conform to the spec, and avoids potential build failures
(given that sbuild ends up now using this logic to decide whether to
install fakeroot).
[ Tests ]
The code has been in unstable/forky(/trixie) for some/long time now, and
either include unit or functional tests or I re-tested against bookworm:
- The zstd CVE fix no longer makes dpkg-deb busy-loop with the two
test .deb archives from the bug report.
Also, all usual unit and functional tests done as part of the automated
release process (driven by a local gen-release script, which is part
of git for later releases), passed.
[ Risks ]
The changes in general are not big or intrusive, and/or they have seen
extensive test coverage in unstable/forky(/trixie).
[ Checklist ]
[√] *all* changes are documented in the d/changelog
[√] I reviewed all changes and I approve them
[√] attach debdiff against the package in (old)stable
[√] the issue is verified as fixed in unstable
[ Changes ]
The detailed explanation of all the changes is included in the ChangeLog
in the debdiff.
[ Other info ]
As usual, I've included the full debdiff, and the following can be
used to filter all autogenerated stuff from it:
,---
xzcat dpkg-1.21.22-1.21.23.debdiff.xz \
| filterdiff -x '*.po' -x '*.pot' -x '*.in' -x '*/man/*/*.pod' \
-x '*/configure' -x '*/build-aux/*' \
-x '*/at/testsuite' -x '*/at/package.m4' \
| less
`---
Thanks,
Guillem
dpkg-1.21.22-1.21.23.debdiff.xz
Description: application/xz
