[Bug 2122053] Re: dpkg-deb: Fix cleanup for control member with restricted directories

Marc Deslauriers 2122053 at bugs.launchpad.net
Fri Sep 19 16:37:57 UTC 2025 

I everyone is ok with this going through security, I'll grab the
packages and will rebuild them in the security team PPA, and once
they're tested, I'll release them as security updates with a USN.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/2122053

Title:
  dpkg-deb: Fix cleanup for control member with restricted directories

Status in dpkg package in Ubuntu:
  Fix Released
Status in dpkg source package in Jammy:
  Fix Committed
Status in dpkg source package in Noble:
  Fix Committed
Status in dpkg source package in Plucky:
  New

Bug description:
  SRU Justification:

  [ Impact ]

  Fixes CVE-2025-6297

  When extracting a control member into a temporary directory, which is
  documented as being a safe operation even on untrusted data, the code
  in charge of the temporary directory cleanup does not sanitize the
  directory permissions, which is then unable to perform the «rm -rf»
  when running as a non-root user, leaving temporary files behind.

  Given automated and repeated execution of dpkg-deb commands on
  adversarial .deb packages or with well compressible files, placed
  inside a directory with permissions not allowing removal by a non-root
  user, this can end up with a DoS scenario due to causing disk quota
  exhaustion or disk full conditions.

  This is considered a minor issue, given the required conditions to
  trigger a problem with it, but an issue non the less given the
  documented security guarantees of the command. This has been an
  issue since the initial commit introducing dpkg-deb in C.

  We use an existing string for the error message to avoid new strings
  needing translation for stable branches, which make the error message
  less descriptive than what would be ideal. This will be improved in
  git HEAD.

  Reported-by: zhutyra on HackerOne
  Fixes: CVE-2025-6297
  Stable-Candidate: 1.20.x 1.21.x 1.22.x

  [ Test Plan ]

  The fix includes a testcase.
  To manually test using the testcase, create a test directory, i.e.testdir, and cd into it.
  - Generate control file for a deb
  mkdir -p pkg-ctrl-dir-perms/DEBIAN
  touch pkg-ctrl-dir-perms/DEBIAN/control
  cat << pkg-ctrl-dir-perms/DEBIAN/control > EOF
  Package: pkg-ctrl-dir-perms
  Version: 1.0
  Section: test
  Priority: extra
  Architecture: all
  Maintainer: Anybody <anybody at anybody>
  Description: Package to test CVE-2025-6297
  EOF

  - Create and build the deb
  dpkg-deb --root-owner-group -Znone -b pkg-ctrl-dir-perms
  - Extract contents of the deb
  dpkg-deb -R pkg-ctrl-dir-perms.deb pkg-ctrl-dir-perms-bad
  - Create a deb with bad permissions
  mkdir -p pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner
  touch pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner/file
  chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN
  chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir
  chmod 0555 pkg-ctrl-dir-perms-bad/DEBIAN/rx-subdir/inner
  tar cf control.tar --format=gnu --mtime @0 --clamp-mtime --owner root:0 --group root:0 -C pkg-ctrl-dir-perms-bad/DEBIAN .
  ar rc pkg-ctrl-dir-perms control.tar

  - extract the control file and verify the permissions
  dpkg-deb --ctrl-tarfile pkg-ctrl-dir-perms.deb | $TAR tvf -

  - Check that cleanup the temporarily extracted control member
  (This will fail on a system without the fix with an error message and leave files in the temporary  directory created)
  dpkg-deb -I pkg-ctrl-dir-perms.deb

  [ Where problems could occur ]

  When extracting, this patch will walk a given directory and change the permissions on any child directories to 755, so that the cleanup can remove the files on disk for non-root users.
  Permissions on the parent directory (/tmp) of the temporary directory could possibly still prevent non-root users from cleaning up.

  [ Other Info ]

  Because noble and jammy do not implement some of the newer test macros
  in dpkg, direct calls to the ar command were substituted in the
  testcase for creating archive.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/2122053/+subscriptions

More information about the foundations-bugs mailing list