Debian Security Advisory

DLA-58-2 apt -- LTS security update

Date Reported:
23 Sep 2014
Affected Packages:
apt
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2014-6273.
More information:

This update fixes a regression introduced in 0.8.10.3+squeeze5 where apt would send invalid HTTP requests when sending If-Range queries.

For reference, the original advisory text follows.

The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the http apt method binary, or potentially to arbitrary code execution.

The following regression fixes were included in this update:

  • Fix regression from the previous update in DLA-53-1 when the custom apt configuration option for Dir::state::lists is set to a relative path (#762160).
  • Fix regression in the reverificaiton handling of cdrom: sources that may lead to incorrect hashsum warnings. Affected users need to run "apt-cdrom add" again after the update was applied.
  • Fix regression from the previous update in DLA-53-1 when file:/// sources are used and those are on a different partition than the apt state directory.

For Debian 6 Squeeze, these issues have been fixed in apt version 0.8.10.3+squeeze6