Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2014-3227

dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with noncompliant patch programs, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this vulnerability exists because of reliance on unrealistic constraints on the behavior of an external program.

Published

2014-05-30T18:55:05.960

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	debian	dpkg	1.15.9	Yes
Application	debian	dpkg	1.16.0	Yes
Application	debian	dpkg	1.16.0.1	Yes
Application	debian	dpkg	1.16.0.2	Yes
Application	debian	dpkg	1.16.0.3	Yes
Application	debian	dpkg	1.16.1	Yes
Application	debian	dpkg	1.16.1.1	Yes
Application	debian	dpkg	1.16.1.2	Yes
Application	debian	dpkg	1.16.2	Yes
Application	debian	dpkg	1.16.3	Yes
Application	debian	dpkg	1.16.4	Yes
Application	debian	dpkg	1.16.4.1	Yes
Application	debian	dpkg	1.16.4.2	Yes
Application	debian	dpkg	1.16.4.3	Yes
Application	debian	dpkg	1.16.5	Yes
Application	debian	dpkg	1.16.6	Yes
Application	debian	dpkg	1.16.7	Yes
Application	debian	dpkg	1.16.8	Yes
Application	debian	dpkg	1.16.9	Yes
Application	debian	dpkg	1.16.10	Yes
Application	debian	dpkg	1.16.11	Yes
Application	debian	dpkg	1.16.12	Yes
Application	debian	dpkg	1.17.0	Yes
Application	debian	dpkg	1.17.1	Yes
Application	debian	dpkg	1.17.2	Yes
Application	debian	dpkg	1.17.3	Yes
Application	debian	dpkg	1.17.4	Yes
Application	debian	dpkg	1.17.5	Yes
Application	debian	dpkg	1.17.6	Yes
Application	debian	dpkg	1.17.7	Yes
Application	debian	dpkg	1.17.8	Yes

References

http://openwall.com/lists/oss-security/2014/04/29/4 ([email protected])
http://openwall.com/lists/oss-security/2014/05/29/16 ([email protected])
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306 ([email protected])
http://openwall.com/lists/oss-security/2014/04/29/4 (af854a3a-2127-422b-91ae-364da2661108)
http://openwall.com/lists/oss-security/2014/05/29/16 (af854a3a-2127-422b-91ae-364da2661108)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306 (af854a3a-2127-422b-91ae-364da2661108)