Directory Traversal Vulnerability in Dpkg Affected by Noncompliant Patch Programs
CVE-2014-3227

Currently unrated

Key Information:

Vendor: Debian
Status: Dpkg
Vendor: CVE Published:; 30 May 2014

Summary

The Dpkg package management system is susceptible to a directory traversal vulnerability due to its reliance on compliance with 'C-style encoded filenames' in patch programs. This vulnerability affects versions 1.15.9, 1.16.x prior to 1.16.14, and 1.17.x prior to 1.17.9. Attackers can exploit this issue by using crafted source packages, which enables them to traverse the directory structure and potentially modify files outside designated directories. This scenario arises from the unrealistic assumptions regarding the behavior of external programs, leading to significant security risks.

References

http://openwall.com/lists/oss-security/2014/05/29/16

mailing-listx_refsource_MLIST

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306

x_refsource_CONFIRM

http://openwall.com/lists/oss-security/2014/04/29/4

mailing-listx_refsource_MLIST

Timeline

Vulnerability published
May 30, 2014
Vulnerability Reserved
May 6, 2014