Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-58-2 apt

Debian Security Advisory

DLA-58-2 apt -- LTS security update

Date Reported:

23 Sep 2014

Affected Packages:

apt

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-6273.

More information:

This update fixes a regression introduced in 0.8.10.3+squeeze5 where apt would send invalid HTTP requests when sending If-Range queries.

For reference, the original advisory text follows.

The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the http apt method binary, or potentially to arbitrary code execution.

The following regression fixes were included in this update:

• Fix regression from the previous update in DLA-53-1 when the custom apt configuration option for Dir::state::lists is set to a relative path (#762160).
• Fix regression in the reverificaiton handling of cdrom: sources that may lead to incorrect hashsum warnings. Affected users need to run "apt-cdrom add" again after the update was applied.
• Fix regression from the previous update in DLA-53-1 when file:/// sources are used and those are on a different partition than the apt state directory.

For Debian 6 Squeeze, these issues have been fixed in apt version 0.8.10.3+squeeze6