CVE-2014-0471: Path Traversal
First published: Mon Apr 28 2014(Updated: )
Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting."
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| dpkg-dev | <=1.15.8.8 | |
| dpkg-dev | =1.9.1 | |
| dpkg-dev | =1.9.2 | |
| dpkg-dev | =1.9.3 | |
| dpkg-dev | =1.9.7 | |
| dpkg-dev | =1.9.8 | |
| dpkg-dev | =1.9.9 | |
| dpkg-dev | =1.9.10 | |
| dpkg-dev | =1.9.11 | |
| dpkg-dev | =1.9.12 | |
| dpkg-dev | =1.9.13 | |
| dpkg-dev | =1.9.14 | |
| dpkg-dev | =1.9.15 | |
| dpkg-dev | =1.9.16 | |
| dpkg-dev | =1.9.17 | |
| dpkg-dev | =1.9.18 | |
| dpkg-dev | =1.9.19 | |
| dpkg-dev | =1.9.20 | |
| dpkg-dev | =1.9.21 | |
| dpkg-dev | =1.10 | |
| dpkg-dev | =1.10.1 | |
| dpkg-dev | =1.10.2 | |
| dpkg-dev | =1.10.3 | |
| dpkg-dev | =1.10.4 | |
| dpkg-dev | =1.10.5 | |
| dpkg-dev | =1.10.6 | |
| dpkg-dev | =1.10.7 | |
| dpkg-dev | =1.10.8 | |
| dpkg-dev | =1.10.9 | |
| dpkg-dev | =1.10.11 | |
| dpkg-dev | =1.10.12 | |
| dpkg-dev | =1.10.13 | |
| dpkg-dev | =1.10.14 | |
| dpkg-dev | =1.10.15 | |
| dpkg-dev | =1.10.16 | |
| dpkg-dev | =1.10.17 | |
| dpkg-dev | =1.10.18 | |
| dpkg-dev | =1.10.18.1 | |
| dpkg-dev | =1.10.19 | |
| dpkg-dev | =1.10.20 | |
| dpkg-dev | =1.10.21 | |
| dpkg-dev | =1.10.22 | |
| dpkg-dev | =1.10.23 | |
| dpkg-dev | =1.10.24 | |
| dpkg-dev | =1.10.25 | |
| dpkg-dev | =1.10.26 | |
| dpkg-dev | =1.10.27 | |
| dpkg-dev | =1.10.28 | |
| dpkg-dev | =1.13.0 | |
| dpkg-dev | =1.13.1 | |
| dpkg-dev | =1.13.2 | |
| dpkg-dev | =1.13.3 | |
| dpkg-dev | =1.13.4 | |
| dpkg-dev | =1.13.5 | |
| dpkg-dev | =1.13.6 | |
| dpkg-dev | =1.13.7 | |
| dpkg-dev | =1.13.8 | |
| dpkg-dev | =1.13.9 | |
| dpkg-dev | =1.13.10 | |
| dpkg-dev | =1.13.11 | |
| dpkg-dev | =1.13.11.1 | |
| dpkg-dev | =1.13.12 | |
| dpkg-dev | =1.13.13 | |
| dpkg-dev | =1.13.14 | |
| dpkg-dev | =1.13.15 | |
| dpkg-dev | =1.13.16 | |
| dpkg-dev | =1.13.17 | |
| dpkg-dev | =1.13.18 | |
| dpkg-dev | =1.13.19 | |
| dpkg-dev | =1.13.20 | |
| dpkg-dev | =1.13.21 | |
| dpkg-dev | =1.13.22 | |
| dpkg-dev | =1.13.23 | |
| dpkg-dev | =1.13.24 | |
| dpkg-dev | =1.13.25 | |
| dpkg-dev | =1.14.0 | |
| dpkg-dev | =1.14.1 | |
| dpkg-dev | =1.14.2 | |
| dpkg-dev | =1.14.3 | |
| dpkg-dev | =1.14.4 | |
| dpkg-dev | =1.14.5 | |
| dpkg-dev | =1.14.6 | |
| dpkg-dev | =1.14.7 | |
| dpkg-dev | =1.14.8 | |
| dpkg-dev | =1.14.9 | |
| dpkg-dev | =1.14.10 | |
| dpkg-dev | =1.14.11 | |
| dpkg-dev | =1.14.12 | |
| dpkg-dev | =1.14.13 | |
| dpkg-dev | =1.14.14 | |
| dpkg-dev | =1.14.15 | |
| dpkg-dev | =1.14.16 | |
| dpkg-dev | =1.14.16.1 | |
| dpkg-dev | =1.14.16.2 | |
| dpkg-dev | =1.14.16.3 | |
| dpkg-dev | =1.14.16.4 | |
| dpkg-dev | =1.14.16.5 | |
| dpkg-dev | =1.14.16.6 | |
| dpkg-dev | =1.14.17 | |
| dpkg-dev | =1.14.18 | |
| dpkg-dev | =1.14.19 | |
| dpkg-dev | =1.14.20 | |
| dpkg-dev | =1.14.21 | |
| dpkg-dev | =1.14.22 | |
| dpkg-dev | =1.14.23 | |
| dpkg-dev | =1.14.24 | |
| dpkg-dev | =1.14.25 | |
| dpkg-dev | =1.14.26 | |
| dpkg-dev | =1.14.27 | |
| dpkg-dev | =1.14.28 | |
| dpkg-dev | =1.14.29 | |
| dpkg-dev | =1.14.30 | |
| dpkg-dev | =1.15.0 | |
| dpkg-dev | =1.15.1 | |
| dpkg-dev | =1.15.2 | |
| dpkg-dev | =1.15.3 | |
| dpkg-dev | =1.15.3.1 | |
| dpkg-dev | =1.15.4 | |
| dpkg-dev | =1.15.4.1 | |
| dpkg-dev | =1.15.5 | |
| dpkg-dev | =1.15.5.1 | |
| dpkg-dev | =1.15.5.2 | |
| dpkg-dev | =1.15.5.3 | |
| dpkg-dev | =1.15.5.4 | |
| dpkg-dev | =1.15.5.5 | |
| dpkg-dev | =1.15.5.6 | |
| dpkg-dev | =1.15.6 | |
| dpkg-dev | =1.15.6.1 | |
| dpkg-dev | =1.15.7 | |
| dpkg-dev | =1.15.7.1 | |
| dpkg-dev | =1.15.7.2 | |
| dpkg-dev | =1.15.8 | |
| dpkg-dev | =1.15.8.1 | |
| dpkg-dev | =1.15.8.2 | |
| dpkg-dev | =1.15.8.3 | |
| dpkg-dev | =1.15.8.4 | |
| dpkg-dev | =1.15.8.5 | |
| dpkg-dev | =1.15.8.6 | |
| dpkg-dev | =1.15.8.7 | |
| dpkg-dev | =1.15.8.9 | |
| dpkg-dev | =1.16.0 | |
| dpkg-dev | =1.16.0.1 | |
| dpkg-dev | =1.16.0.2 | |
| dpkg-dev | =1.16.0.3 | |
| dpkg-dev | =1.16.1 | |
| dpkg-dev | =1.16.1.1 | |
| dpkg-dev | =1.16.1.2 | |
| dpkg-dev | =1.16.2 | |
| dpkg-dev | =1.16.3 | |
| dpkg-dev | =1.16.4 | |
| dpkg-dev | =1.16.4.1 | |
| dpkg-dev | =1.16.4.2 | |
| dpkg-dev | =1.16.4.3 | |
| dpkg-dev | =1.16.5 | |
| dpkg-dev | =1.16.6 | |
| dpkg-dev | =1.16.7 | |
| dpkg-dev | =1.16.8 | |
| dpkg-dev | =1.16.9 | |
| dpkg-dev | =1.16.10 | |
| dpkg-dev | =1.16.11 | |
| dpkg-dev | =1.16.12 | |
| dpkg-dev | =1.17.0 | |
| dpkg-dev | =1.17.1 | |
| dpkg-dev | =1.17.2 | |
| dpkg-dev | =1.17.3 | |
| dpkg-dev | =1.17.4 | |
| dpkg-dev | =1.17.5 | |
| dpkg-dev | =1.17.6 | |
| dpkg-dev | =1.17.7 | |
| Ubuntu | =10.04 | |
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 | |
| Ubuntu | =13.10 | |
| Ubuntu | =14.04 | |
| debian/dpkg | 1.20.13 1.20.10 1.21.22 1.22.18 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2014-0471
- https://savannah.gnu.org/bugs/index.php?37642
- http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=a12eb58
- http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=2389c75
- http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=d49704f
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
- http://www.debian.org/security/2014/dsa-2915
- http://www.securityfocus.com/bid/67106
- http://www.ubuntu.com/usn/USN-2183-1
Frequently Asked Questions
What is the severity of CVE-2014-0471?
CVE-2014-0471 is considered a medium severity vulnerability due to its potential to allow remote attackers to write arbitrary files.
How do I fix CVE-2014-0471?
To fix CVE-2014-0471, upgrade dpkg to version 1.15.9 or later.
What systems are affected by CVE-2014-0471?
CVE-2014-0471 affects dpkg versions prior to 1.15.9, including some versions in Debian and Ubuntu.
What type of vulnerability is CVE-2014-0471?
CVE-2014-0471 is a directory traversal vulnerability that affects the unpacking functionality of dpkg.
Can CVE-2014-0471 be exploited remotely?
Yes, CVE-2014-0471 can be exploited remotely through crafted source packages.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/debian-bugs
- source/Debian
- alias/CVE-2014-0471
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- agent/event
- collector/security-tracker-debian
- vendor/debian
- canonical/dpkg-dev
- version/dpkg-dev/1.15.8.8
- version/dpkg-dev/1.9.1
- version/dpkg-dev/1.9.2
- version/dpkg-dev/1.9.3
- version/dpkg-dev/1.9.7
- version/dpkg-dev/1.9.8
- version/dpkg-dev/1.9.9
- version/dpkg-dev/1.9.10
- version/dpkg-dev/1.9.11
- version/dpkg-dev/1.9.12
- version/dpkg-dev/1.9.13
- version/dpkg-dev/1.9.14
- version/dpkg-dev/1.9.15
- version/dpkg-dev/1.9.16
- version/dpkg-dev/1.9.17
- version/dpkg-dev/1.9.18
- version/dpkg-dev/1.9.19
- version/dpkg-dev/1.9.20
- version/dpkg-dev/1.9.21
- version/dpkg-dev/1.10
- version/dpkg-dev/1.10.1
- version/dpkg-dev/1.10.2
- version/dpkg-dev/1.10.3
- version/dpkg-dev/1.10.4
- version/dpkg-dev/1.10.5
- version/dpkg-dev/1.10.6
- version/dpkg-dev/1.10.7
- version/dpkg-dev/1.10.8
- version/dpkg-dev/1.10.9
- version/dpkg-dev/1.10.11
- version/dpkg-dev/1.10.12
- version/dpkg-dev/1.10.13
- version/dpkg-dev/1.10.14
- version/dpkg-dev/1.10.15
- version/dpkg-dev/1.10.16
- version/dpkg-dev/1.10.17
- version/dpkg-dev/1.10.18
- version/dpkg-dev/1.10.18.1
- version/dpkg-dev/1.10.19
- version/dpkg-dev/1.10.20
- version/dpkg-dev/1.10.21
- version/dpkg-dev/1.10.22
- version/dpkg-dev/1.10.23
- version/dpkg-dev/1.10.24
- version/dpkg-dev/1.10.25
- version/dpkg-dev/1.10.26
- version/dpkg-dev/1.10.27
- version/dpkg-dev/1.10.28
- version/dpkg-dev/1.13.0
- version/dpkg-dev/1.13.1
- version/dpkg-dev/1.13.2
- version/dpkg-dev/1.13.3
- version/dpkg-dev/1.13.4
- version/dpkg-dev/1.13.5
- version/dpkg-dev/1.13.6
- version/dpkg-dev/1.13.7
- version/dpkg-dev/1.13.8
- version/dpkg-dev/1.13.9
- version/dpkg-dev/1.13.10
- version/dpkg-dev/1.13.11
- version/dpkg-dev/1.13.11.1
- version/dpkg-dev/1.13.12
- version/dpkg-dev/1.13.13
- version/dpkg-dev/1.13.14
- version/dpkg-dev/1.13.15
- version/dpkg-dev/1.13.16
- version/dpkg-dev/1.13.17
- version/dpkg-dev/1.13.18
- version/dpkg-dev/1.13.19
- version/dpkg-dev/1.13.20
- version/dpkg-dev/1.13.21
- version/dpkg-dev/1.13.22
- version/dpkg-dev/1.13.23
- version/dpkg-dev/1.13.24
- version/dpkg-dev/1.13.25
- version/dpkg-dev/1.14.0
- version/dpkg-dev/1.14.1
- version/dpkg-dev/1.14.2
- version/dpkg-dev/1.14.3
- version/dpkg-dev/1.14.4
- version/dpkg-dev/1.14.5
- version/dpkg-dev/1.14.6
- version/dpkg-dev/1.14.7
- version/dpkg-dev/1.14.8
- version/dpkg-dev/1.14.9
- version/dpkg-dev/1.14.10
- version/dpkg-dev/1.14.11
- version/dpkg-dev/1.14.12
- version/dpkg-dev/1.14.13
- version/dpkg-dev/1.14.14
- version/dpkg-dev/1.14.15
- version/dpkg-dev/1.14.16
- version/dpkg-dev/1.14.16.1
- version/dpkg-dev/1.14.16.2
- version/dpkg-dev/1.14.16.3
- version/dpkg-dev/1.14.16.4
- version/dpkg-dev/1.14.16.5
- version/dpkg-dev/1.14.16.6
- version/dpkg-dev/1.14.17
- version/dpkg-dev/1.14.18
- version/dpkg-dev/1.14.19
- version/dpkg-dev/1.14.20
- version/dpkg-dev/1.14.21
- version/dpkg-dev/1.14.22
- version/dpkg-dev/1.14.23
- version/dpkg-dev/1.14.24
- version/dpkg-dev/1.14.25
- version/dpkg-dev/1.14.26
- version/dpkg-dev/1.14.27
- version/dpkg-dev/1.14.28
- version/dpkg-dev/1.14.29
- version/dpkg-dev/1.14.30
- version/dpkg-dev/1.15.0
- version/dpkg-dev/1.15.1
- version/dpkg-dev/1.15.2
- version/dpkg-dev/1.15.3
- version/dpkg-dev/1.15.3.1
- version/dpkg-dev/1.15.4
- version/dpkg-dev/1.15.4.1
- version/dpkg-dev/1.15.5
- version/dpkg-dev/1.15.5.1
- version/dpkg-dev/1.15.5.2
- version/dpkg-dev/1.15.5.3
- version/dpkg-dev/1.15.5.4
- version/dpkg-dev/1.15.5.5
- version/dpkg-dev/1.15.5.6
- version/dpkg-dev/1.15.6
- version/dpkg-dev/1.15.6.1
- version/dpkg-dev/1.15.7
- version/dpkg-dev/1.15.7.1
- version/dpkg-dev/1.15.7.2
- version/dpkg-dev/1.15.8
- version/dpkg-dev/1.15.8.1
- version/dpkg-dev/1.15.8.2
- version/dpkg-dev/1.15.8.3
- version/dpkg-dev/1.15.8.4
- version/dpkg-dev/1.15.8.5
- version/dpkg-dev/1.15.8.6
- version/dpkg-dev/1.15.8.7
- version/dpkg-dev/1.15.8.9
- version/dpkg-dev/1.16.0
- version/dpkg-dev/1.16.0.1
- version/dpkg-dev/1.16.0.2
- version/dpkg-dev/1.16.0.3
- version/dpkg-dev/1.16.1
- version/dpkg-dev/1.16.1.1
- version/dpkg-dev/1.16.1.2
- version/dpkg-dev/1.16.2
- version/dpkg-dev/1.16.3
- version/dpkg-dev/1.16.4
- version/dpkg-dev/1.16.4.1
- version/dpkg-dev/1.16.4.2
- version/dpkg-dev/1.16.4.3
- version/dpkg-dev/1.16.5
- version/dpkg-dev/1.16.6
- version/dpkg-dev/1.16.7
- version/dpkg-dev/1.16.8
- version/dpkg-dev/1.16.9
- version/dpkg-dev/1.16.10
- version/dpkg-dev/1.16.11
- version/dpkg-dev/1.16.12
- version/dpkg-dev/1.17.0
- version/dpkg-dev/1.17.1
- version/dpkg-dev/1.17.2
- version/dpkg-dev/1.17.3
- version/dpkg-dev/1.17.4
- version/dpkg-dev/1.17.5
- version/dpkg-dev/1.17.6
- version/dpkg-dev/1.17.7
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/10.04
- version/ubuntu/12.04
- version/ubuntu/12.10
- version/ubuntu/13.10
- version/ubuntu/14.04
- package-manager/debian