CVE-2014-3127

Name of the Vulnerable Software and Affected Versions dpkg version 1.15.9

Description The issue arises from the introduction of support for C-style encoded filenames in dpkg 1.15.9 on Debian squeeze, without considering that the squeeze patch program does not have this feature. This leads to an interaction error, allowing remote attackers to perform directory traversal attacks and modify files outside the intended directories by using a crafted source package.

Recommendations For dpkg version 1.15.9, consider disabling the C-style encoded filenames feature as a temporary workaround until a patch is available. Restrict access to the package installation process to minimize the risk of exploitation. Avoid using crafted source packages until the issue is resolved.