Debian Security Advisory

DLA-220-1 dpkg -- LTS security update

Date Reported:
15 May 2015
Affected Packages:
dpkg
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 617923, Bug 695919.
In Mitre's CVE dictionary: CVE-2015-0840.
More information:

Jann Horn discovered that the source package integrity verification in dpkg-source can be bypassed via a specially crafted Debian source control file (.dsc). Note that this flaw only affects extraction of local Debian source packages via dpkg-source but not the installation of packages from the Debian archive.

For the oldoldstable distribution (squeeze), this problem has been fixed in version 1.15.12. This also fixes a similar bug discovered by Ansgar Burchardt and a bug in the same area discovered by Roger Leigh.

For the oldstable distribution (wheezy), this problem was fixed in version 1.16.16.

The stable distribution (jessie) was not affected by this problem as it was fixed before release.