Javier Serrano Polo

**Name of the Vulnerable Software and Affected Versions** dpkg-dev version 1.3.0 **Description** A directory traversal issue in dpkg-source allows remote attackers to modify files outside of the intended directories. This is achieved by crafting a source package that lacks a --- header line. **Recommendations** For dpkg-dev version 1.3.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dpkg version 1.15.9 **Description** The issue arises from the introduction of support for C-style encoded filenames in dpkg 1.15.9 on Debian squeeze, without considering that the squeeze patch program does not have this feature. This leads to an interaction error, allowing remote attackers to perform directory traversal attacks and modify files outside the intended directories by using a crafted source package. **Recommendations** For dpkg version 1.15.9, consider disabling the C-style encoded filenames feature as a temporary workaround until a patch is available. Restrict access to the package installation process to minimize the risk of exploitation. Avoid using crafted source packages until the issue is resolved.