PT-2017-18259 · Debian+1 · Dpkg+1

Published

2015-04-23

Updated

2018-02-20

CVE-2017-8283

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions dpkg versions 1.3.0 through 1.18.23

Description The issue allows remote attackers to conduct directory traversal attacks via a crafted Debian source package. This is possible because dpkg-source in dpkg does not offer a protection mechanism for blank-indented diff hunks when using a non-GNU patch program.

Recommendations For versions 1.3.0 through 1.18.23, consider updating to a version that includes a fix for this issue, as using a non-GNU patch program without proper protection mechanisms poses a significant risk. As a temporary workaround, restrict the use of dpkg-source with non-GNU patch programs to minimize the risk of exploitation.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2015-1399

ALT-PU-2018-1271

CVE-2017-8283

Affected Products

Alt Linux

Dpkg

PT-2017-18259 · Debian+1 · Dpkg+1

CVE-2017-8283

Weakness Enumeration

Related Identifiers

Affected Products

References · 9