CVE-2014-3864
published 2014-05-30CVE-2014-3864: Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 allows remote attackers to modify files outside of the intended directories via a crafted…
PriorityP433medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EPSS
2.83%
84.8th percentile
Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 allows remote attackers to modify files outside of the intended directories via a crafted source package that lacks a --- header line.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dpkg | < dpkg 1.17.10 (bookworm) | dpkg 1.17.10 (bookworm) |
| debian | dpkg | >= 0 < 1.17.10 | 1.17.10 |
| debian | dpkg | >= 0 < 1.17.10 | 1.17.10 |
| debian | dpkg | >= 0 < 1.17.10 | 1.17.10 |
| debian | dpkg | >= 0 < 1.17.10 | 1.17.10 |
| debian | dpkg-dev | — | — |
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
osv6.4MEDIUM
vendor_debian6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h5rp-2257-ffxj: Directory traversal vulnerability in dpkg-source in dpkg-dev 1
ghsa_unreviewed·2022-05-14
CVE-2014-3864 [MEDIUM] CWE-22 GHSA-h5rp-2257-ffxj: Directory traversal vulnerability in dpkg-source in dpkg-dev 1
Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 allows remote attackers to modify files outside of the intended directories via a crafted source package that lacks a --- header line.
OSV
CVE-2014-3864: Directory traversal vulnerability in dpkg-source in dpkg-dev 1
osv·2014-05-30·CVSS 6.4
CVE-2014-3864 [MEDIUM] CVE-2014-3864: Directory traversal vulnerability in dpkg-source in dpkg-dev 1
Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 allows remote attackers to modify files outside of the intended directories via a crafted source package that lacks a --- header line.
Ubuntu
dpkg vulnerabilities
vendor_ubuntu·2014-06-10
CVE-2014-3864 dpkg vulnerabilities
Title: dpkg vulnerabilities
Summary: A malicious source package could write files outside the unpack directory.
It was discovered that dpkg incorrectly handled certain patches when
unpacking source packages. If a user or an automated system were tricked
into unpacking a specially crafted source package, a remote attacker could
modify files outside the target unpack directory, leading to a denial of
service or potentially gaining access to the system.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2014-3864: dpkg - Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 allows remote...
vendor_debian·2014·CVSS 6.4
CVE-2014-3864 [MEDIUM] CVE-2014-3864: dpkg - Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 allows remote...
Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 allows remote attackers to modify files outside of the intended directories via a crafted source package that lacks a --- header line.
Scope: local
bookworm: resolved (fixed in 1.17.10)
bullseye: resolved (fixed in 1.17.10)
forky: resolved (fixed in 1.17.10)
sid: resolved (fixed in 1.17.10)
trixie: resolved (fixed in 1.17.10)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-3864 CVE-2014-3865 dpkg: multiple directory traversal flaws in dpkg-source
bugzilla·2014-05-30·CVSS 6.4
CVE-2014-3864 [MEDIUM] CVE-2014-3864 CVE-2014-3865 dpkg: multiple directory traversal flaws in dpkg-source
CVE-2014-3864 CVE-2014-3865 dpkg: multiple directory traversal flaws in dpkg-source
Multiple directory traversal flaws were found in dpkg-source. When unpacking a source package, this could lead to the creation of files outside of the directory you are unpacking in.
CVE-2014-3864: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746498
CVE-2014-3865: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183
References:
http://seclists.org/oss-sec/2014/q2/388
I am not sure where the patches are located.
Discussion:
Created dpkg tracking bugs for this issue:
Affects: fedora-all [bug 1103027]
Affects: epel-all [bug 1103028]
---
I still waiting for Debian release :
http://packages.qa.debian.org/d/dpkg.html
seems finally they fix it :
http://anonscm.debian.org/gitweb/?p=dpkg/dpkg.git
Bugzilla
CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [fedora-all]
bugzilla·2014-05-30·CVSS 6.4
CVE-2014-3865 [MEDIUM] CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [fedora-all]
CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this issu
Bugzilla
CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [epel-all]
bugzilla·2014-05-30·CVSS 6.4
CVE-2014-3865 [MEDIUM] CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [epel-all]
CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this i
http://openwall.com/lists/oss-security/2014/05/25/2http://www.debian.org/security/2014/dsa-2953http://www.securityfocus.com/bid/67725http://www.ubuntu.com/usn/USN-2242-1https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746498http://openwall.com/lists/oss-security/2014/05/25/2http://www.debian.org/security/2014/dsa-2953http://www.securityfocus.com/bid/67725http://www.ubuntu.com/usn/USN-2242-1https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746498
2014-05-30
Published