UBUNTU-CVE-2014-3127

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2014-3127

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2014/UBUNTU-CVE-2014-3127.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2014-3127

Related

Published

2014-05-14T00:55:00Z

Modified

2025-01-13T10:21:06Z

Summary

[none]

Details

dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471.

References

Affected packages

Ubuntu:14.04:LTS / dpkg

Package

Name: dpkg
Purl: pkg:deb/ubuntu/dpkg@1.17.5ubuntu5.2?arch=source&distro=trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.17.5ubuntu5.2

Affected versions

1.*

1.16.12ubuntu1

1.17.1ubuntu1

1.17.5ubuntu1

1.17.5ubuntu2

1.17.5ubuntu3

1.17.5ubuntu4

1.17.5ubuntu5

1.17.5ubuntu5.1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.17.5ubuntu5.2",
            "binary_name": "dpkg"
        },
        {
            "binary_version": "1.17.5ubuntu5.2",
            "binary_name": "dpkg-dev"
        },
        {
            "binary_version": "1.17.5ubuntu5.2",
            "binary_name": "dselect"
        },
        {
            "binary_version": "1.17.5ubuntu5.2",
            "binary_name": "libdpkg-dev"
        },
        {
            "binary_version": "1.17.5ubuntu5.2",
            "binary_name": "libdpkg-perl"
        }
    ]
}