Headline
CVE-2022-1664: [SECURITY] [DSA 5147-1] dpkg security update
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]
- To: [email protected]
- Subject: [SECURITY] [DSA 5147-1] dpkg security update
- From: Salvatore Bonaccorso <[email protected]>
- Date: Wed, 25 May 2022 15:31:54 +0000
- Message-id: <[🔎] [email protected]>
- Reply-to: [email protected]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-5147-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso May 25, 2022 https://www.debian.org/security/faq
Package : dpkg CVE ID : CVE-2022-1664
Max Justicz reported a directory traversal vulnerability in Dpkg::Source::Archive in dpkg, the Debian package management system. This affects extracting untrusted source packages in the v2 and v3 source package formats that include a debian.tar.
For the oldstable distribution (buster), this problem has been fixed in version 1.19.8.
For the stable distribution (bullseye), this problem has been fixed in version 1.20.10.
We recommend that you upgrade your dpkg packages.
For the detailed security status of dpkg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dpkg
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: [email protected] -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmKOS75fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SQiw//emxzoeBb84SW7etFMi/UQJZSPSg9sEcbD3IKAUU4DbZsz1rnPiydijHw X7eYWx3SoCx4wItsLT5n9eMFCGoyMp0zPebv8T7ipr/0dhe+R5MNKkKqmvBZOO10 MP9o3rm2VA0wUSHeNNhFlQHf/4cFWYXSeQGdq5/iemZcYY+/nEt56EX9iEoQX5dq AQ3eQ90nczZrOY3JSVtiJmv7btq19EcVDF54iqzKVdKis34305J77i+ZMVyYhMId cuWsv6ZgvdjfqLb8hYVE4IlXJZHATx5NKzAx1g5ZkeC/rbZCTLoEoBi+VV7caRxB 7ailjM5E5Qcd8f/nIQDq9ZkPKF8kKc5FlFW+K7FKO2YbVhcwqAodFosphRMc9G7j p98aTDjp7WC9if5QwgdiSdt3h2/hFRfRZd6otlk8ub8i/OT5pbvCBrCWPS8Q8Hr5 pLQ0SgUnyANBPhJiByg4Km+Rl/nzI0VbZqxb19zQeMJK+SJoEgYrhhzoR32ZCLs0 cqf5xnlaiXWwi2I7mTJP7RwWTnESXFBMW0IjhDW2UDqK26jSgjWjFPBb+4JKRk+M vkhVbxCoZo5wh5LoOQAD5u34ggsZliid6cs7nNWXg3Wvw1kxh+WTnReVnlD4tcV7 jWlMgVOgCucWXGYXauB1b2nUTAXq5f/gjaCOF/yTi0jVuqgW9tI= =zSO4 -----END PGP SIGNATURE-----
Reply to:
Salvatore Bonaccorso (on-list)
Salvatore Bonaccorso (off-list)
Prev by Date: [SECURITY] [DSA 5146-1] puma security update
Next by Date: [SECURITY] [DSA 5148-1] chromium security update
Previous by thread: [SECURITY] [DSA 5146-1] puma security update
Next by thread: [SECURITY] [DSA 5148-1] chromium security update
Index(es):
- Date
- Thread
Related news
Gentoo Linux Security Advisory 202408-30 - A vulnerability has been discovered in dpkg, which allows for directory traversal. Versions greater than or equal to 1.20.9-r1 are affected.
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Ubuntu Security Notice 5446-2 - USN-5446-1 fixed a vulnerability in dpkg. This update provides the corresponding update for Ubuntu 16.04 ESM. Max Justicz discovered that dpkg incorrectly handled unpacking certain source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could modify files outside the target unpack directory, leading to a denial of service or potentially gaining access to the system.
Ubuntu Security Notice 5446-1 - Max Justicz discovered that dpkg incorrectly handled unpacking certain source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could modify files outside the target unpack directory, leading to a denial of service or potentially gaining access to the system.