[Bug 2122053] Re: dpkg-deb: Fix cleanup for control member with restricted directories
Joy M Latten
2122053 at bugs.launchpad.net
Thu Sep 4 17:23:19 UTC 2025
The dpkg.debdiff for noble
** Patch added: "noble-dpkg.debdiff"
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/2122053/+attachment/5905304/+files/noble-dpkg.debdiff
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/2122053
Title:
dpkg-deb: Fix cleanup for control member with restricted directories
Status in dpkg package in Ubuntu:
New
Bug description:
SRU Justification:
[ Impact ]
Fixes CVE-2025-6297
When extracting a control member into a temporary directory, which is
documented as being a safe operation even on untrusted data, the code
in charge of the temporary directory cleanup does not sanitize the
directory permissions, which is then unable to perform the «rm -rf»
when running as a non-root user, leaving temporary files behind.
Given automated and repeated execution of dpkg-deb commands on
adversarial .deb packages or with well compressible files, placed
inside a directory with permissions not allowing removal by a non-root
user, this can end up with a DoS scenario due to causing disk quota
exhaustion or disk full conditions.
This is considered a minor issue, given the required conditions to
trigger a problem with it, but an issue non the less given the
documented security guarantees of the command. This has been an
issue since the initial commit introducing dpkg-deb in C.
We use an existing string for the error message to avoid new strings
needing translation for stable branches, which make the error message
less descriptive than what would be ideal. This will be improved in
git HEAD.
Reported-by: zhutyra on HackerOne
Fixes: CVE-2025-6297
Stable-Candidate: 1.20.x 1.21.x 1.22.x
[ Test Plan ]
The fix includes a testcase.
To manually test using the testcase, create a test directory, i.e.testdir, and cd into it.
- Generate control file for a deb
mkdir -p pkg-ctrl-dir-perms/DEBIAN
touch pkg-ctrl-dir-perms/DEBIAN/controlPackage:pkg-ctrl-dir-perms
cat << pkg-ctrl-dir-perms/DEBIAN/control > EOF
Package: pkg-ctrl-dir-perms
Version: 1.0
Section: test
Priority: extra
Architecture: all
Maintainer: Anybody <anybody at anybody>
Description: Package to test CVE-2025-6297
EOF
- Create and build the deb
debdpkg-deb --root-owner-group -Znone -b pkg-ctrl-dir-perms.
- Extract contents of the deb
dpkg-deb -R pkg-ctrl-dir-perms.deb pkg-ctrl-dir-perms-bad
- Create a deb with bad permissions
mkdir -p pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner
touch pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner/file
chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN
chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir
chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner
tar cf control.tar --format=gnu --mtime @0 --clamp-mtime --owner root:0 --group root:0 -C pkg-ctrl-dir-perms-bad/DEBIAN .
ar rc pkg-ctrl-dir-perms control.tar
- extract the control file and verify the permissions
dpkg-deb --ctrl-tarfile pkg-ctrl-dir-perms.deb | $TAR tvf -
- Check that cleanup the temporarily extracted control member
(This will fail on a system without the fix with an error message and leave files in the temporary directory created)
dpkg-deb -I pkg-ctrl-dir-perms.deb
[ Where problems could occur ]
When extracting, this patch will walk a given directory and change the permissions on any child directories to 755, so that the cleanup can remove the files on disk for non-root users.
Permissions on the parent directory (/tmp) of the temporary directory could possibly still prevent non-root users from cleaning up.
[ Other Info ]
Because noble and jammy do not implement some of the newer test macros
in dpkg, direct calls to the ar command were substituted in the
testcase for creating archive.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/2122053/+subscriptions
More information about the foundations-bugs
mailing list