CPANSA-Dpkg-2014-3127: Dpkg vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2014-05-14T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
| Current release date | 2014-05-14T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | Severity | ||
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471.
Vulnerabilities
CVE-2014-3127
Vulnerability Descriptiondpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471.
| Weakness | CWE-22 : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Dpkg less than 1.17.9 |
|
Fixed
- Dpkg greater than or equal 1.17.9
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Dpkg-2014-3127 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2014/cpansa-dpkg-2014-3127.json - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306 external
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306 - http://www.securityfocus.com/bid/67181 external
http://www.securityfocus.com/bid/67181 - http://seclists.org/oss-sec/2014/q2/227 external
http://seclists.org/oss-sec/2014/q2/227 - http://seclists.org/oss-sec/2014/q2/191 external
http://seclists.org/oss-sec/2014/q2/191 - http://metadata.ftp-master.debian.org/changelogs//main/d/dpkg/dpkg_1.15.10_changelog external
http://metadata.ftp-master.debian.org/changelogs//main/d/dpkg/dpkg_1.15.10_changelog - CVE-2014-3127 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2014-3127
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Wed May 14 00:00:00 2014 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/