CVE-2017-8283
CRITICALdpkg 1.3.0-1.18.23 - Directory Traversal via Crafted Debian Source Package
Title source: llmDescription
dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/98064
Mailing List, Patch, Third Party Advisory x_refsource_confirm
http://www.openwall.com/lists/oss-security/2017/04/20/2
Scores
CVSS v3
9.8
EPSS
0.0457
EPSS Percentile
90.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (50)
debian/dpkg
1.3.0
debian/dpkg
1.3.1
debian/dpkg
1.3.2
debian/dpkg
1.3.3
debian/dpkg
1.3.4
debian/dpkg
1.3.5
debian/dpkg
1.3.6
debian/dpkg
1.3.7
debian/dpkg
1.3.8
debian/dpkg
1.3.9
... and 40 more
Published
Apr 26, 2017
Tracked Since
Feb 18, 2026