Lucene search
K

14 matches found

CVE
CVE
added 2022/05/26 8:20 a.m.479 views

CVE-2022-1664

CVE-2022-1664 affects dpkg: Dpkg::Source::Archive allows directory traversal during in-place extraction of untrusted v2/v3 source packages that include debian.tar. Affected versions are dpkg before 1.21.8, 1.20.10, 1.19.8, and 1.18.26. Mitigation: upgrade to a fixed dpkg version (e.g., 1.21.8 or ...

9.8CVSS9.3AI score0.02871EPSS
CVE
CVE
added 2015/12/03 8:0 p.m.117 views

CVE-2015-0860

CVE-2015-0860 affects the dpkg-deb component of dpkg. An off-by-one error in extracthalf/extract.c can cause a stack-based buffer overflow via the archive magic version number in an old-style Debian binary package, enabling remote code execution. The issue affects dpkg 1.16.x before 1.16.17 and 1...

7.5CVSS9.5AI score0.05035EPSS
CVE
CVE
added 2011/01/11 1:0 a.m.83 views

CVE-2010-1679

CVE-2010-1679 describes a directory-traversal flaw in dpkg-source (dpkg prior to 1.14.31 and 1.15.x) where a patch for a source-format 3.0 package can be exploited to modify arbitrary files. The root cause is insufficient validation of patch-driven file paths during source-package processing, ena...

6.8CVSS6.5AI score0.03119EPSS
CVE
CVE
added 2026/03/07 8:10 a.m.80 views

CVE-2026-2219

CVE-2026-2219 affects dpkg-deb in dpkg, where improper validation of the end of the data stream during uncompression of zstd-compressed .deb archives can lead to a denial-of-service (infinite CPU loop). Public records from OSV and OSV-derived advisories confirm patches exist in multiple distribut...

7.5CVSS5.8AI score0.00418EPSS
CVE
CVE
added 2010/03/12 8:0 p.m.79 views

CVE-2010-0396

CVE-2010-0396 affects the dpkg package, specifically the dpkg-source component, where a directory traversal flaw in crafted Debian source archives could let an attacker modify arbitrary files. The vulnerability exists in versions prior to 1.14.29; Debian’s security advisory references DSA-2011 an...

5.8CVSS6.4AI score0.02007EPSS
CVE
CVE
added 2015/04/13 2:0 p.m.78 views

CVE-2015-0840

CVE-2015-0840 affects dpkg before 1.16.16 and 1.17.x before 1.17.25. The issue: the dpkg-source command can bypass the signature check for Debian source control files (.dsc) by crafting the file, enabling bypass of source package integrity verification in local installs. Impact stated in sources:...

4.3CVSS6.4AI score0.0184EPSS
CVE
CVE
added 2014/04/30 2:0 p.m.76 views

CVE-2014-0471

CVE-2014-0471 describes a directory-traversal in dpkg’s unpacking code (C-style filename quoting) that lets remote attackers write arbitrary files via a crafted source package. Affected are dpkg versions before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8. The root cause is mis-handlin...

5CVSS6.5AI score0.02859EPSS
CVE
CVE
added 2015/01/20 3:0 p.m.76 views

CVE-2014-8625

CVE-2014-8625 affects dpkg prior to 1.17.22, where the parse_error_msg function in parsehelp.c is vulnerable to format-string processing via the package or architecture name, enabling a denial of service and potentially arbitrary code execution. Public references in the connected docs consistentl...

6.8CVSS7.8AI score0.03296EPSS
CVE
CVE
added 2025/07/01 4:16 p.m.73 views

CVE-2025-6297

The CVE-2025-6297 issue affects the dpkg-deb component, where improper sanitization of directory permissions when extracting a control member into a temporary directory can leave temporary files and lead to DoS via disk quota exhaustion or full disks. Affected: dpkg- and debian-based tooling acro...

8.2CVSS6.8AI score0.00341EPSS
CVE
CVE
added 2014/05/30 6:0 p.m.71 views

CVE-2014-3227

The CVE-2014-3227 entry concerns dpkg components: dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 may rely on a patch program’s handling of the C-style encoded filenames feature. If the patch program is noncompliant, this leads to an interaction error that enables a directory travers...

6.4CVSS6.6AI score0.01821EPSS
CVE
CVE
added 2017/04/26 5:28 a.m.70 views

CVE-2017-8283

CVE-2017-8283 concerns dpkg-source in dpkg 1.3.0 through 1.18.23, which can invoke a non-GNU patch program and lacks protection for blank-indented diff hunks. This enables remote attackers to perform directory traversal via a crafted Debian source package, demonstrated by using dpkg-source on Net...

9.8CVSS9.2AI score0.04611EPSS
CVE
CVE
added 2011/01/11 1:0 a.m.66 views

CVE-2011-0402

CVE-2011-0402 affects dpkg-source in dpkg before 1.14.31 and 1.15.x, enabling a user-assisted remote attacker to modify arbitrary files via a symlink attack on unspecified files in the .pc directory. The connected OpenVAS entries and Fedora/Debian advisories reference this CVE alongside updates (...

6.8CVSS6.5AI score0.02873EPSS
CVE
CVE
added 2014/05/14 12:0 a.m.65 views

CVE-2014-3127

CVE-2014-3127 concerns dpkg 1.15.9 on Debian squeeze where enabling the C-style encoded filenames feature, without the corresponding patch in the squeeze patch program, can trigger an interaction error allowing directory traversal via a crafted source package. The note ties this to release engine...

7.1CVSS6.3AI score0.02073EPSS
CVE
CVE
added 2010/06/08 6:0 p.m.60 views

CVE-2004-2768

The CVE-2004-2768 entry concerns dpkg 1.9.21 where metadata for a file is not properly reset during package upgrades. This could let local attackers gain privileges by creating a hard link to a vulnerable (1) setuid, (2) setgid, or (3) device file; the issue is related to CVE-2010-2059. The initi...

7.2CVSS7.5AI score0.00411EPSS