CVE-2017-8283

CRITICAL

dpkg 1.3.0-1.18.23 - Directory Traversal via Crafted Debian Source Package

Title source: llm
STIX 2.1

Description

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98064
Mailing List, Patch, Third Party Advisory x_refsource_confirm
http://www.openwall.com/lists/oss-security/2017/04/20/2

Scores

CVSS v3 9.8
EPSS 0.0457
EPSS Percentile 90.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (50)
debian/dpkg 1.3.0
debian/dpkg 1.3.1
debian/dpkg 1.3.2
debian/dpkg 1.3.3
debian/dpkg 1.3.4
debian/dpkg 1.3.5
debian/dpkg 1.3.6
debian/dpkg 1.3.7
debian/dpkg 1.3.8
debian/dpkg 1.3.9
... and 40 more
Published Apr 26, 2017
Tracked Since Feb 18, 2026