Vulnerabilities > Debian > Dpkg

DATE CVE VULNERABILITY TITLE RISK
2022-05-26 CVE-2022-1664 Path Traversal vulnerability in multiple products
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability.
network
low complexity
debian netapp CWE-22
critical
9.8
2017-04-26 CVE-2017-8283 Path Traversal vulnerability in Debian Dpkg
dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.
network
low complexity
debian CWE-22
7.5
2015-12-03 CVE-2015-0860 Numeric Errors vulnerability in multiple products
Off-by-one error in the extracthalf function in dpkg-deb/extract.c in the dpkg-deb component in Debian dpkg 1.16.x before 1.16.17 and 1.17.x before 1.17.26 allows remote attackers to execute arbitrary code via the archive magic version number in an "old-style" Debian binary package, which triggers a stack-based buffer overflow.
network
low complexity
canonical debian CWE-189
7.5
2015-04-13 CVE-2015-0840 Improper Access Control vulnerability in multiple products
The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc).
4.3
2015-01-20 CVE-2014-8625 Use of Externally-Controlled Format String vulnerability in Debian Dpkg
Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name.
network
debian CWE-134
6.8
2014-05-30 CVE-2014-3227 Path Traversal vulnerability in Debian Dpkg
dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with noncompliant patch programs, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package.
network
low complexity
debian CWE-22
6.4
2014-05-14 CVE-2014-3127 Path Traversal vulnerability in Debian Dpkg
dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package.
network
high complexity
debian CWE-22
7.1
2014-04-30 CVE-2014-0471 Path Traversal vulnerability in multiple products
Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting."
network
low complexity
debian canonical CWE-22
5.0
2011-01-11 CVE-2011-0402 Link Following vulnerability in Debian Dpkg
dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted remote attackers to modify arbitrary files via a symlink attack on unspecified files in the .pc directory.
network
debian CWE-59
6.8
2011-01-11 CVE-2010-1679 Path Traversal vulnerability in Debian Dpkg
Directory traversal vulnerability in dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted remote attackers to modify arbitrary files via directory traversal sequences in a patch for a source-format 3.0 package.
network
debian CWE-22
6.8