Published: 14/05/2014 Updated: 05/06/2014

CVSS v2 Base Score: 7.1 | Impact Score: 9.2 | Exploitability Score: 4.9

VMScore: 632

Vector: AV:N/AC:H/Au:N/C:N/I:C/A:C

dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote malicious users to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471.

Vulnerable Product	Search on Vulmon	Subscribe to Product
debian dpkg 1.16.0.2
debian dpkg 1.16.0.3
debian dpkg 1.16.2
debian dpkg 1.16.3
debian dpkg 1.16.8
debian dpkg 1.16.9
debian dpkg 1.16.0
debian dpkg 1.16.0.1
debian dpkg 1.16.11
debian dpkg 1.16.12
debian dpkg 1.16.5
debian dpkg 1.16.6
debian dpkg 1.16.7
debian dpkg 1.16.1
debian dpkg 1.16.1.1
debian dpkg 1.16.4
debian dpkg 1.16.4.1
debian dpkg 1.16.1.2
debian dpkg 1.16.10
debian dpkg 1.16.4.2
debian dpkg 1.16.4.3
debian dpkg 1.17.5
debian dpkg 1.17.6
debian dpkg 1.17.3
debian dpkg 1.17.4
debian dpkg 1.17.0
debian dpkg 1.17.7
debian dpkg 1.17.8
debian dpkg 1.17.1
debian dpkg 1.17.2
debian dpkg 1.15.8.11
debian dpkg 1.15.8.10
debian dpkg 1.15.5
debian dpkg 1.15.5.1
debian dpkg 1.15.8.13
debian dpkg 1.15.8.12
debian dpkg 1.15.4
debian dpkg 1.15.4.1
debian dpkg 1.15.5.6
debian dpkg 1.15.6
debian dpkg 1.15.8.2
debian dpkg 1.15.8.3
debian dpkg 1.15.0
debian dpkg 1.15.1
debian dpkg 1.15.5.2
debian dpkg 1.15.5.3
debian dpkg 1.15.7.1
debian dpkg 1.15.7.2
debian dpkg 1.15.8.6
debian dpkg 1.15.8.7
debian dpkg 1.15.6.1
debian dpkg 1.15.7
debian dpkg 1.15.8.4
debian dpkg 1.15.8.5
debian dpkg 1.15.9
debian dpkg 1.15.2
debian dpkg 1.15.3
debian dpkg 1.15.3.1
debian dpkg 1.15.5.4
debian dpkg 1.15.5.5
debian dpkg 1.15.8
debian dpkg 1.15.8.1
debian dpkg 1.15.8.8
debian dpkg 1.15.8.9

Debian Bug report logs - #746498 dpkg-source: Directory traversal on unpack through missing --- header line Package: dpkg-dev; Maintainer for dpkg-dev is Dpkg Developers <debian-dpkg@listsdebianorg>; Source for dpkg-dev is src:dpkg (PTS, buildd, popcon) Reported by: javier--7C8FrOsBhwV6hRgYM4mLHJBYcgPTm9@jaspnet Date: W ...

Debian Bug report logs - #749183 dpkg-source: Directory traversal on unpack through Index: pseudo-header Package: dpkg-dev; Maintainer for dpkg-dev is Dpkg Developers <debian-dpkg@listsdebianorg>; Source for dpkg-dev is src:dpkg (PTS, buildd, popcon) Reported by: Guillem Jover <guillem@debianorg> Date: Sat, 24 May ...

CWE-22 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306 http://www.securityfocus.com/bid/67181 http://seclists.org/oss-sec/2014/q2/227 http://seclists.org/oss-sec/2014/q2/191 http://metadata.ftp-master.debian.org/changelogs//main/d/dpkg/dpkg_1.15.10_changelog https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746498

CVE-2014-3127

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect