CVE-2017-8283
Published: 26 April 2017
dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.
Priority
Negligible
CVSS 3 base score: 9.8
Status
| Package | Release | Status |
|---|---|---|
|
dpkg Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.18.24)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(1.18.24ubuntu1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Needed
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needed
|
Notes
| Author | Note |
|---|---|
| mdeslaur | This only affects operating systems that don't use GNU patch by default, which isn't the case on Debian/Ubuntu. Setting priority to negligible. |