[Bug 2122053] [NEW] dpkg-deb: Fix cleanup for control member with restricted directories

Joy M Latten 2122053 at bugs.launchpad.net
Thu Sep 4 14:44:56 UTC 2025 

Public bug reported:

SRU Justification:

[ Impact ]

Fixes CVE-2025-6297

When extracting a control member into a temporary directory, which is
documented as being a safe operation even on untrusted data, the code
in charge of the temporary directory cleanup does not sanitize the
directory permissions, which is then unable to perform the «rm -rf»
when running as a non-root user, leaving temporary files behind.

Given automated and repeated execution of dpkg-deb commands on
adversarial .deb packages or with well compressible files, placed
inside a directory with permissions not allowing removal by a non-root
user, this can end up with a DoS scenario due to causing disk quota
exhaustion or disk full conditions.

This is considered a minor issue, given the required conditions to
trigger a problem with it, but an issue non the less given the
documented security guarantees of the command. This has been an
issue since the initial commit introducing dpkg-deb in C.

We use an existing string for the error message to avoid new strings
needing translation for stable branches, which make the error message
less descriptive than what would be ideal. This will be improved in
git HEAD.

Reported-by: zhutyra on HackerOne
Fixes: CVE-2025-6297
Stable-Candidate: 1.20.x 1.21.x 1.22.x

[ Test Plan ]

The fix includes a testcase. 
To manually test using the testcase, create a test directory, i.e.testdir, and cd into it.
- Generate control file for a deb
mkdir -p pkg-ctrl-dir-perms/DEBIAN
touch pkg-ctrl-dir-perms/DEBIAN/controlPackage:pkg-ctrl-dir-perms
cat << pkg-ctrl-dir-perms/DEBIAN/control > EOF
Package: pkg-ctrl-dir-perms
Version: 1.0
Section: test
Priority: extra
Architecture: all
Maintainer: Anybody <anybody at anybody>
Description: Package to test CVE-2025-6297
EOF

- Create and build the deb
debdpkg-deb --root-owner-group -Znone -b pkg-ctrl-dir-perms.
- Extract contents of the deb 
dpkg-deb -R pkg-ctrl-dir-perms.deb pkg-ctrl-dir-perms-bad
- Create a deb with bad permissions
mkdir -p pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner
touch pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner/file
chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN
chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir
chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner
tar cf control.tar --format=gnu --mtime @0 --clamp-mtime --owner root:0 --group root:0 -C pkg-ctrl-dir-perms-bad/DEBIAN .
ar rc pkg-ctrl-dir-perms control.tar

- extract the control file and verify the permissions
dpkg-deb --ctrl-tarfile pkg-ctrl-dir-perms.deb | $TAR tvf -

- Check that cleanup the temporarily extracted control member
(This will fail on a system without the fix with an error message and leave files in the temporary  directory created)
dpkg-deb -I pkg-ctrl-dir-perms.deb


[ Where problems could occur ]

When extracting, this patch will walk a given directory and change the permissions on any child directories to 755, so that the cleanup can remove the files on disk for non-root users. 
Permissions on the parent directory (/tmp) of the temporary directory could possibly still prevent non-root users from cleaning up.

[ Other Info ]

Because noble and jammy do not implement some of the newer test macros
in dpkg, direct calls to the ar command were substituted in the testcase
for creating archive.

** Affects: dpkg (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/2122053

Title:
  dpkg-deb: Fix cleanup for control member with restricted directories

Status in dpkg package in Ubuntu:
  New

Bug description:
  SRU Justification:

  [ Impact ]

  Fixes CVE-2025-6297

  When extracting a control member into a temporary directory, which is
  documented as being a safe operation even on untrusted data, the code
  in charge of the temporary directory cleanup does not sanitize the
  directory permissions, which is then unable to perform the «rm -rf»
  when running as a non-root user, leaving temporary files behind.

  Given automated and repeated execution of dpkg-deb commands on
  adversarial .deb packages or with well compressible files, placed
  inside a directory with permissions not allowing removal by a non-root
  user, this can end up with a DoS scenario due to causing disk quota
  exhaustion or disk full conditions.

  This is considered a minor issue, given the required conditions to
  trigger a problem with it, but an issue non the less given the
  documented security guarantees of the command. This has been an
  issue since the initial commit introducing dpkg-deb in C.

  We use an existing string for the error message to avoid new strings
  needing translation for stable branches, which make the error message
  less descriptive than what would be ideal. This will be improved in
  git HEAD.

  Reported-by: zhutyra on HackerOne
  Fixes: CVE-2025-6297
  Stable-Candidate: 1.20.x 1.21.x 1.22.x

  [ Test Plan ]

  The fix includes a testcase. 
  To manually test using the testcase, create a test directory, i.e.testdir, and cd into it.
  - Generate control file for a deb
  mkdir -p pkg-ctrl-dir-perms/DEBIAN
  touch pkg-ctrl-dir-perms/DEBIAN/controlPackage:pkg-ctrl-dir-perms
  cat << pkg-ctrl-dir-perms/DEBIAN/control > EOF
  Package: pkg-ctrl-dir-perms
  Version: 1.0
  Section: test
  Priority: extra
  Architecture: all
  Maintainer: Anybody <anybody at anybody>
  Description: Package to test CVE-2025-6297
  EOF

  - Create and build the deb
  debdpkg-deb --root-owner-group -Znone -b pkg-ctrl-dir-perms.
  - Extract contents of the deb 
  dpkg-deb -R pkg-ctrl-dir-perms.deb pkg-ctrl-dir-perms-bad
  - Create a deb with bad permissions
  mkdir -p pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner
  touch pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner/file
  chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN
  chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir
  chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner
  tar cf control.tar --format=gnu --mtime @0 --clamp-mtime --owner root:0 --group root:0 -C pkg-ctrl-dir-perms-bad/DEBIAN .
  ar rc pkg-ctrl-dir-perms control.tar

  - extract the control file and verify the permissions
  dpkg-deb --ctrl-tarfile pkg-ctrl-dir-perms.deb | $TAR tvf -

  - Check that cleanup the temporarily extracted control member
  (This will fail on a system without the fix with an error message and leave files in the temporary  directory created)
  dpkg-deb -I pkg-ctrl-dir-perms.deb

  
  [ Where problems could occur ]

  When extracting, this patch will walk a given directory and change the permissions on any child directories to 755, so that the cleanup can remove the files on disk for non-root users. 
  Permissions on the parent directory (/tmp) of the temporary directory could possibly still prevent non-root users from cleaning up.

  [ Other Info ]

  Because noble and jammy do not implement some of the newer test macros
  in dpkg, direct calls to the ar command were substituted in the
  testcase for creating archive.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/2122053/+subscriptions

More information about the foundations-bugs mailing list