Published: 13/04/2015 Updated: 03/01/2017

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

The dpkg-source command in Debian dpkg prior to 1.16.16 and 1.17.x prior to 1.17.25 allows remote malicious users to bypass signature verification via a crafted Debian source control file (.dsc).

Vulnerable Product	Search on Vulmon	Subscribe to Product
debian dpkg 1.17.1
debian dpkg 1.17.2
debian dpkg 1.17.5
debian dpkg 1.17.6
debian dpkg 1.17.7
debian dpkg 1.17.14
debian dpkg 1.17.15
debian dpkg 1.17.22
debian dpkg 1.17.23
debian dpkg
debian dpkg 1.17.0
debian dpkg 1.17.8
debian dpkg 1.17.9
debian dpkg 1.17.16
debian dpkg 1.17.17
debian dpkg 1.17.24
debian dpkg 1.17.10
debian dpkg 1.17.11
debian dpkg 1.17.18
debian dpkg 1.17.19
debian dpkg 1.17.3
debian dpkg 1.17.4
debian dpkg 1.17.12
debian dpkg 1.17.13
debian dpkg 1.17.20
debian dpkg 1.17.21
canonical ubuntu linux 14.10
canonical ubuntu linux 14.04
canonical ubuntu linux 12.04
canonical ubuntu linux 10.04

dpkg could be tricked into bypassing source package signature checks ...

Jann Horn discovered that the source package integrity verification in dpkg-source can be bypassed via a specially crafted Debian source control file (dsc) Note that this flaw only affects extraction of local Debian source packages via dpkg-source but not the installation of packages from the Debian archive For the stable distribution (wheezy), ...

CWE-284 http://www.ubuntu.com/usn/USN-2566-1 http://www.debian.org/security/2015/dsa-3217 http://lists.opensuse.org/opensuse-updates/2015-06/msg00029.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157387.html https://usn.ubuntu.com/2566-1/https://nvd.nist.gov

CVE-2015-0840

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect