CVE-2014-3865
published 2014-05-30CVE-2014-3865: Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a…
PriorityP342medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
7.32%
93.6th percentile
Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dpkg | < dpkg 1.17.10 (bookworm) | dpkg 1.17.10 (bookworm) |
| debian | dpkg | >= 0 < 1.17.10 | 1.17.10 |
| debian | dpkg | >= 0 < 1.17.10 | 1.17.10 |
| debian | dpkg | >= 0 < 1.17.10 | 1.17.10 |
| debian | dpkg | >= 0 < 1.17.10 | 1.17.10 |
| debian | dpkg-dev | — | — |
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
osv6.4MEDIUM
vendor_debian6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pm6q-6j5f-2hj8: Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1
ghsa_unreviewed·2022-05-14
CVE-2014-3865 [MEDIUM] CWE-22 GHSA-pm6q-6j5f-2hj8: Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1
Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname.
OSV
CVE-2014-3865: Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1
osv·2014-05-30·CVSS 6.4
CVE-2014-3865 [MEDIUM] CVE-2014-3865: Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1
Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname.
Ubuntu
dpkg vulnerabilities
vendor_ubuntu·2014-06-10
CVE-2014-3864 dpkg vulnerabilities
Title: dpkg vulnerabilities
Summary: A malicious source package could write files outside the unpack directory.
It was discovered that dpkg incorrectly handled certain patches when
unpacking source packages. If a user or an automated system were tricked
into unpacking a specially crafted source package, a remote attacker could
modify files outside the target unpack directory, leading to a denial of
service or potentially gaining access to the system.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2014-3865: dpkg - Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 al...
vendor_debian·2014·CVSS 6.4
CVE-2014-3865 [MEDIUM] CVE-2014-3865: dpkg - Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 al...
Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname.
Scope: local
bookworm: resolved (fixed in 1.17.10)
bullseye: resolved (fixed in 1.17.10)
forky: resolved (fixed in 1.17.10)
sid: resolved (fixed in 1.17.10)
trixie: resolved (fixed in 1.17.10)
No detection rules found.
Bugzilla
CVE-2014-3864 CVE-2014-3865 dpkg: multiple directory traversal flaws in dpkg-source
bugzilla·2014-05-30·CVSS 6.4
CVE-2014-3864 [MEDIUM] CVE-2014-3864 CVE-2014-3865 dpkg: multiple directory traversal flaws in dpkg-source
CVE-2014-3864 CVE-2014-3865 dpkg: multiple directory traversal flaws in dpkg-source
Multiple directory traversal flaws were found in dpkg-source. When unpacking a source package, this could lead to the creation of files outside of the directory you are unpacking in.
CVE-2014-3864: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746498
CVE-2014-3865: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183
References:
http://seclists.org/oss-sec/2014/q2/388
I am not sure where the patches are located.
Discussion:
Created dpkg tracking bugs for this issue:
Affects: fedora-all [bug 1103027]
Affects: epel-all [bug 1103028]
---
I still waiting for Debian release :
http://packages.qa.debian.org/d/dpkg.html
seems finally they fix it :
http://anonscm.debian.org/gitweb/?p=dpkg/dpkg.git
Bugzilla
CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [fedora-all]
bugzilla·2014-05-30·CVSS 6.4
CVE-2014-3865 [MEDIUM] CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [fedora-all]
CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this issu
Bugzilla
CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [epel-all]
bugzilla·2014-05-30·CVSS 6.4
CVE-2014-3865 [MEDIUM] CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [epel-all]
CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this i
http://openwall.com/lists/oss-security/2014/05/25/2http://www.debian.org/security/2014/dsa-2953http://www.securityfocus.com/bid/67727http://www.ubuntu.com/usn/USN-2242-1https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183http://openwall.com/lists/oss-security/2014/05/25/2http://www.debian.org/security/2014/dsa-2953http://www.securityfocus.com/bid/67727http://www.ubuntu.com/usn/USN-2242-1https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183
2014-05-30
Published