CVE-2014-3127

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2014-3127

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2014-3127.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2014-3127

Related

Published

2014-05-14T00:55:10Z

Modified

2024-11-21T02:07:30Z

Summary

[none]

Details

dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471.

References

Affected packages

Debian:11 / dpkg

Package

Name: dpkg
Purl: pkg:deb/debian/dpkg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.17.9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / dpkg

Package

Name: dpkg
Purl: pkg:deb/debian/dpkg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.17.9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / dpkg

Package

Name: dpkg
Purl: pkg:deb/debian/dpkg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.17.9

Ecosystem specific

{
    "urgency": "not yet assigned"
}