CVE-2014-3127

EUVD-2014-3147

14.05.2014, 00:55

dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package.  NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 UNKNOWN	NETWORK	HIGH		AV:N/AC:H/Au:N/C:N/I:C/A:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 75%

Affected Products (NVD)

Vendor	Product	Version
debian	dpkg	1.16.0
debian	dpkg	1.16.0.1
debian	dpkg	1.16.0.2
debian	dpkg	1.16.0.3
debian	dpkg	1.16.1
debian	dpkg	1.16.1.1
debian	dpkg	1.16.1.2
debian	dpkg	1.16.2
debian	dpkg	1.16.3
debian	dpkg	1.16.4
debian	dpkg	1.16.4.1
debian	dpkg	1.16.4.2
debian	dpkg	1.16.4.3
debian	dpkg	1.16.5
debian	dpkg	1.16.6
debian	dpkg	1.16.7
debian	dpkg	1.16.8
debian	dpkg	1.16.9
debian	dpkg	1.16.10
debian	dpkg	1.16.11
debian	dpkg	1.16.12
debian	dpkg	1.17.0
debian	dpkg	1.17.1
debian	dpkg	1.17.2
debian	dpkg	1.17.3
debian	dpkg	1.17.4
debian	dpkg	1.17.5
debian	dpkg	1.17.6
debian	dpkg	1.17.7
debian	dpkg	1.17.8
debian	dpkg	1.15.0
debian	dpkg	1.15.1
debian	dpkg	1.15.2
debian	dpkg	1.15.3
debian	dpkg	1.15.3.1
debian	dpkg	1.15.4
debian	dpkg	1.15.4.1
debian	dpkg	1.15.5
debian	dpkg	1.15.5.1
debian	dpkg	1.15.5.2
debian	dpkg	1.15.5.3
debian	dpkg	1.15.5.4
debian	dpkg	1.15.5.5
debian	dpkg	1.15.5.6
debian	dpkg	1.15.6
debian	dpkg	1.15.6.1
debian	dpkg	1.15.7
debian	dpkg	1.15.7.1
debian	dpkg	1.15.7.2
debian	dpkg	1.15.8
debian	dpkg	1.15.8.1
debian	dpkg	1.15.8.2
debian	dpkg	1.15.8.3
debian	dpkg	1.15.8.4
debian	dpkg	1.15.8.5
debian	dpkg	1.15.8.6
debian	dpkg	1.15.8.7
debian	dpkg	1.15.8.8
debian	dpkg	1.15.8.9
debian	dpkg	1.15.8.10
debian	dpkg	1.15.8.11
debian	dpkg	1.15.8.12
debian	dpkg	1.15.8.13
debian	dpkg	1.15.9

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

dpkg

bookworm	1.21.22 fixed
bullseye	1.20.13 fixed
bullseye (security)	1.20.10 fixed
sid	1.22.11 fixed
trixie	1.22.11 fixed

Ubuntu Releases

Ubuntu Product

Codename

dpkg

lucid	Fixed 1.15.5.6ubuntu4.8 released
precise	Fixed 1.16.1.2ubuntu7.4 released
quantal	Fixed 1.16.7ubuntu6.2 released
saucy	Fixed 1.16.12ubuntu1.2 released
trusty	Fixed 1.17.5ubuntu5.2 released

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

http://metadata.ftp-master.debian.org/changelogs//main/d/dpkg/dpkg_1.15.10_changelog

http://seclists.org/oss-sec/2014/q2/191

http://seclists.org/oss-sec/2014/q2/227

http://www.securityfocus.com/bid/67181

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306

http://metadata.ftp-master.debian.org/changelogs//main/d/dpkg/dpkg_1.15.10_changelog

http://seclists.org/oss-sec/2014/q2/191

http://seclists.org/oss-sec/2014/q2/227

http://www.securityfocus.com/bid/67181

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306