dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the
patch program to be compliant with a need for the “C-style encoded
filenames” feature, but is supported in environments with noncompliant
patch programs, which triggers an interaction error that allows remote
attackers to conduct directory traversal attacks and modify files outside
of the intended directories via a crafted source package. NOTE: this
vulnerability exists because of reliance on unrealistic constraints on the
behavior of an external program.
openwall.com/lists/oss-security/2014/04/29/4
openwall.com/lists/oss-security/2014/05/29/16
bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
launchpad.net/bugs/cve/CVE-2014-3227
nvd.nist.gov/vuln/detail/CVE-2014-3227
security-tracker.debian.org/tracker/CVE-2014-3227
ubuntu.com/security/notices/USN-2183-2
www.cve.org/CVERecord?id=CVE-2014-3227