CVE-2014-3227

Name of the Vulnerable Software and Affected Versions dpkg versions 1.15.9, 1.16.x through 1.16.13, and 1.17.x through 1.17.8

Description The issue arises from dpkg's expectation that the patch program supports "C-style encoded filenames", which can lead to an interaction error in environments where the patch program does not comply with this requirement. This error can be exploited by remote attackers to conduct directory traversal attacks, allowing them to modify files outside the intended directories by using a crafted source package.

Recommendations For dpkg version 1.15.9, update to a version that does not rely on the "C-style encoded filenames" feature for security. For dpkg versions 1.16.x through 1.16.13, update to version 1.16.14 or later. For dpkg versions 1.17.x through 1.17.8, update to version 1.17.9 or later.