CVE-2022-1664
published 2022-05-26CVE-2022-1664: Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal…
PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.87%
85.1th percentile
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | dpkg | < dpkg 1.21.8 (bookworm) | dpkg 1.21.8 (bookworm) |
| debian | dpkg | >= 0 < 1.20.10 | 1.20.10 |
| debian | dpkg | >= 0 < 1.21.8 | 1.21.8 |
| debian | dpkg | >= 0 < 1.21.8 | 1.21.8 |
| debian | dpkg | >= 0 < 1.21.8 | 1.21.8 |
| debian | dpkg | >= 1.14.17 < 1.21.8 | 1.21.8 |
| debian | dpkg | >= 1.14.17 < 1.18.26 | 1.18.26 |
| debian | dpkg | >= 1.19.0 < 1.19.8 | 1.19.8 |
| debian | dpkg | >= 1.20.0 < 1.20.10 | 1.20.10 |
| debian | dpkg | >= 1.21.0 < 1.21.8 | 1.21.8 |
| msrc | cbl2_dpkg_1.20.10-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q7pv-fjh6-6xq6: Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1
ghsa_unreviewed·2022-05-27
CVE-2022-1664 [CRITICAL] CWE-22 GHSA-q7pv-fjh6-6xq6: Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
OSV
CVE-2022-1664: Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1
osv·2022-05-26·CVSS 9.8
CVE-2022-1664 [CRITICAL] CVE-2022-1664: Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
Ubuntu
dpkg vulnerability
vendor_ubuntu·2022-05-30
CVE-2022-1664 dpkg vulnerability
Title: dpkg vulnerability
Summary: A malicious source package could write files outside the unpack directory.
USN-5446-1 fixed a vulnerability in dpkg. This update provides
the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
Max Justicz discovered that dpkg incorrectly handled unpacking certain
source packages. If a user or an automated system were tricked into
unpacking a specially crafted source package, a remote attacker could
modify files outside the target unpack directory, leading to a denial of
service or potentially gaining access to the system.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
dpkg vulnerability
vendor_ubuntu·2022-05-26
CVE-2022-1664 dpkg vulnerability
Title: dpkg vulnerability
Summary: A malicious source package could write files outside the unpack directory.
Max Justicz discovered that dpkg incorrectly handled unpacking certain
source packages. If a user or an automated system were tricked into
unpacking a specially crafted source package, a remote attacker could
modify files outside the target unpack directory, leading to a denial of
service or potentially gaining access to the system.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tar
vendor_msrc·2022-05-10·CVSS 9.8
CVE-2022-1664 [CRITICAL] CWE-22 directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tar
directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tar
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
debian: debian
Customer Action Required: Yes
Remediation: C
Debian
CVE-2022-1664: dpkg - Dpkg::Source::Archive in dpkg, the Debian package management system, before vers...
vendor_debian·2022·CVSS 9.8
CVE-2022-1664 [CRITICAL] CVE-2022-1664: dpkg - Dpkg::Source::Archive in dpkg, the Debian package management system, before vers...
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
Scope: local
bookworm: resolved (fixed in 1.21.8)
bullseye: resolved (fixed in 1.20.10)
forky: resolved (fixed in 1.21.8)
sid: resolved (fixed in 1.21.8)
trixie: resolved (fixed in 1.21.8)
No detection rules found.
No public exploits indexed.
Trailofbits
Another prolific year of open-source contributions
blogs_trailofbits·2023-01-10
Another prolific year of open-source contributions
This time last year, we wrote about the more than 190 Trail of Bits-authored pull requests that were merged into non-Trail of Bits repositories in 2021. In 2022, we continued that trend by having more than 400 pull requests merged into non-Trail of Bits repositories!
Why is this significant? While we take great pride in the tools that we develop, we recognize that we benefit from tools maintained outside of Trail of Bits. When one of those tools doesn’t work as we expect, we try to fix it. When a tool doesn’t fill the need we think it was meant to, we try to improve it. In short, we try to give back to the community that gives so much to us.
Here are a few highlights from the list of PRs at the end of this blog post:
- Clippy is a collection of over 550 lints to catch common mistakes an
Trailofbits
Another prolific year of open-source contributions
blogs_trailofbits·2023-01-10
Another prolific year of open-source contributions
This time last year , we wrote about the more than 190 Trail of Bits-authored pull requests that were merged into non-Trail of Bits repositories in 2021. In 2022, we continued that trend by having more than 400 pull requests merged into non-Trail of Bits repositories!
Why is this significant? While we take great pride in the tools that we develop , we recognize that we benefit from tools maintained outside of Trail of Bits. When one of those tools doesn’t work as we expect, we try to fix it. When a tool doesn’t fill the need we think it was meant to, we try to improve it. In short, we try to give back to the community that gives so much to us.
Here are a few highlights from the list of PRs at the end of this blog post:
Clippy is a collection of over 550 lints to catch common mistakes an
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200bhttps://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24behttps://lists.debian.org/debian-lts-announce/2022/05/msg00033.htmlhttps://lists.debian.org/debian-security-announce/2022/msg00115.htmlhttps://security.netapp.com/advisory/ntap-20221007-0002/https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200bhttps://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24behttps://lists.debian.org/debian-lts-announce/2022/05/msg00033.htmlhttps://lists.debian.org/debian-security-announce/2022/msg00115.htmlhttps://security.netapp.com/advisory/ntap-20221007-0002/
2022-05-26
Published