CVE-2017-8283
Published: 26 April 2017
dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.
Priority
CVSS 3 base score: 9.8
Status
Package | Release | Status |
---|---|---|
dpkg Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.18.24)
|
Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
|
|
Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(1.18.24ubuntu1)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Needed
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Needed
|
Notes
Author | Note |
---|---|
mdeslaur | This only affects operating systems that don't use GNU patch by default, which isn't the case on Debian/Ubuntu. Setting priority to negligible. |