CVE-2014-8625
published 2015-01-20CVE-2014-8625: Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of…
PriorityP433medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
3.30%
87.0th percentile
Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dpkg | < dpkg 1.17.22 (bookworm) | dpkg 1.17.22 (bookworm) |
| debian | dpkg | <= 1.17.21 | — |
| debian | dpkg | >= 0 < 1.17.22 | 1.17.22 |
| debian | dpkg | >= 0 < 1.17.22 | 1.17.22 |
| debian | dpkg | >= 0 < 1.17.22 | 1.17.22 |
| debian | dpkg | >= 0 < 1.17.22 | 1.17.22 |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2014-8625: dpkg - Multiple format string vulnerabilities in the parse_error_msg function in parseh...
vendor_debian·2014·CVSS 6.8
CVE-2014-8625 [MEDIUM] CVE-2014-8625: dpkg - Multiple format string vulnerabilities in the parse_error_msg function in parseh...
Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name.
Scope: local
bookworm: resolved (fixed in 1.17.22)
bullseye: resolved (fixed in 1.17.22)
forky: resolved (fixed in 1.17.22)
sid: resolved (fixed in 1.17.22)
trixie: resolved (fixed in 1.17.22)
GHSA
GHSA-rg28-4v7w-vh73: Multiple format string vulnerabilities in the parse_error_msg function in parsehelp
ghsa_unreviewed·2022-05-17
CVE-2014-8625 [MEDIUM] CWE-134 GHSA-rg28-4v7w-vh73: Multiple format string vulnerabilities in the parse_error_msg function in parsehelp
Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name.
OSV
CVE-2014-8625: Multiple format string vulnerabilities in the parse_error_msg function in parsehelp
osv·2015-01-20·CVSS 6.8
CVE-2014-8625 [MEDIUM] CVE-2014-8625: Multiple format string vulnerabilities in the parse_error_msg function in parsehelp
Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-8625 dpkg: format string vulnerability [fedora-all]
bugzilla·2014-11-10·CVSS 6.8
CVE-2014-8625 [MEDIUM] CVE-2014-8625 dpkg: format string vulnerability [fedora-all]
CVE-2014-8625 dpkg: format string vulnerability [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While onl
Bugzilla
CVE-2014-8625 dpkg: format string vulnerability
bugzilla·2014-11-10·CVSS 6.8
CVE-2014-8625 [MEDIUM] CVE-2014-8625 dpkg: format string vulnerability
CVE-2014-8625 dpkg: format string vulnerability
It was reported [1] that dpkg have a format string vulnerability.
When building a .deb file using dpkg-deb --build, if the 'control' file inside DEBIAN/ has a % in it, it will segfault.
Example of control file and GDB backtrace is available at [1] as well.
[1]: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135
Discussion:
Created dpkg tracking bugs for this issue:
Affects: fedora-all [bug 1162168]
Affects: epel-all [bug 1162169]
---
Note that a second, similar issue was reported to Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769111
---
http://anonscm.debian.org/cgit/dpkg/dpkg.git/log/?h=wheezy
we still haven't any fix for wheezy .
I found commit here :
http://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?id
Bugzilla
CVE-2014-8625 dpkg: format string vulnerability [epel-all]
bugzilla·2014-11-10·CVSS 6.8
CVE-2014-8625 [MEDIUM] CVE-2014-8625 dpkg: format string vulnerability [epel-all]
CVE-2014-8625 dpkg: format string vulnerability [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora EPEL. W
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157387.htmlhttp://seclists.org/oss-sec/2014/q4/539http://seclists.org/oss-sec/2014/q4/551http://seclists.org/oss-sec/2014/q4/622https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768485https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135https://exchange.xforce.ibmcloud.com/vulnerabilities/98551http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157387.htmlhttp://seclists.org/oss-sec/2014/q4/539http://seclists.org/oss-sec/2014/q4/551http://seclists.org/oss-sec/2014/q4/622https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768485https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135https://exchange.xforce.ibmcloud.com/vulnerabilities/98551
2015-01-20
Published