SB2014051408 - Multiple vulnerabilities in packages.debian dpkg
Published: May 14, 2014 Updated: August 10, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2014-3227)
The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with noncompliant patch programs, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this vulnerability exists because of reliance on unrealistic constraints on the behavior of an external program.
2) Path traversal (CVE-ID: CVE-2014-3127)
The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471.
Remediation
Install update from vendor's website.
References
- http://openwall.com/lists/oss-security/2014/04/29/4
- http://openwall.com/lists/oss-security/2014/05/29/16
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
- http://metadata.ftp-master.debian.org/changelogs//main/d/dpkg/dpkg_1.15.10_changelog
- http://seclists.org/oss-sec/2014/q2/191
- http://seclists.org/oss-sec/2014/q2/227
- http://www.securityfocus.com/bid/67181