Multiple vulnerabilities in packages.debian dpkg
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2014-3227 CVE-2014-3127 |
| CWE-ID | CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
dpkg Other software / Other software solutions |
| Vendor | Debian Package Manager |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU41598
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-3227
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with noncompliant patch programs, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this vulnerability exists because of reliance on unrealistic constraints on the behavior of an external program.
MitigationInstall update from vendor's website.
Vulnerable software versionsdpkg: 1.15.9 - 1.17.8
External linkshttp://openwall.com/lists/oss-security/2014/04/29/4
http://openwall.com/lists/oss-security/2014/05/29/16
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU41685
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-3127
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471.
MitigationInstall update from vendor's website.
Vulnerable software versionsdpkg: 1.15.0 - 1.17.8
External linkshttp://metadata.ftp-master.debian.org/changelogs//main/d/dpkg/dpkg_1.15.10_changelog
http://seclists.org/oss-sec/2014/q2/191
http://seclists.org/oss-sec/2014/q2/227
http://www.securityfocus.com/bid/67181
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
