CVE-2014-3127: Path Traversal
First published: Wed May 14 2014(Updated: )
dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this can be considered a release engineering problem in the effort to fix CVE-2014-0471.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| dpkg-dev | =1.16.0 | |
| dpkg-dev | =1.16.0.1 | |
| dpkg-dev | =1.16.0.2 | |
| dpkg-dev | =1.16.0.3 | |
| dpkg-dev | =1.16.1 | |
| dpkg-dev | =1.16.1.1 | |
| dpkg-dev | =1.16.1.2 | |
| dpkg-dev | =1.16.2 | |
| dpkg-dev | =1.16.3 | |
| dpkg-dev | =1.16.4 | |
| dpkg-dev | =1.16.4.1 | |
| dpkg-dev | =1.16.4.2 | |
| dpkg-dev | =1.16.4.3 | |
| dpkg-dev | =1.16.5 | |
| dpkg-dev | =1.16.6 | |
| dpkg-dev | =1.16.7 | |
| dpkg-dev | =1.16.8 | |
| dpkg-dev | =1.16.9 | |
| dpkg-dev | =1.16.10 | |
| dpkg-dev | =1.16.11 | |
| dpkg-dev | =1.16.12 | |
| dpkg-dev | =1.17.0 | |
| dpkg-dev | =1.17.1 | |
| dpkg-dev | =1.17.2 | |
| dpkg-dev | =1.17.3 | |
| dpkg-dev | =1.17.4 | |
| dpkg-dev | =1.17.5 | |
| dpkg-dev | =1.17.6 | |
| dpkg-dev | =1.17.7 | |
| dpkg-dev | =1.17.8 | |
| dpkg-dev | =1.15.0 | |
| dpkg-dev | =1.15.1 | |
| dpkg-dev | =1.15.2 | |
| dpkg-dev | =1.15.3 | |
| dpkg-dev | =1.15.3.1 | |
| dpkg-dev | =1.15.4 | |
| dpkg-dev | =1.15.4.1 | |
| dpkg-dev | =1.15.5 | |
| dpkg-dev | =1.15.5.1 | |
| dpkg-dev | =1.15.5.2 | |
| dpkg-dev | =1.15.5.3 | |
| dpkg-dev | =1.15.5.4 | |
| dpkg-dev | =1.15.5.5 | |
| dpkg-dev | =1.15.5.6 | |
| dpkg-dev | =1.15.6 | |
| dpkg-dev | =1.15.6.1 | |
| dpkg-dev | =1.15.7 | |
| dpkg-dev | =1.15.7.1 | |
| dpkg-dev | =1.15.7.2 | |
| dpkg-dev | =1.15.8 | |
| dpkg-dev | =1.15.8.1 | |
| dpkg-dev | =1.15.8.2 | |
| dpkg-dev | =1.15.8.3 | |
| dpkg-dev | =1.15.8.4 | |
| dpkg-dev | =1.15.8.5 | |
| dpkg-dev | =1.15.8.6 | |
| dpkg-dev | =1.15.8.7 | |
| dpkg-dev | =1.15.8.8 | |
| dpkg-dev | =1.15.8.9 | |
| dpkg-dev | =1.15.8.10 | |
| dpkg-dev | =1.15.8.11 | |
| dpkg-dev | =1.15.8.12 | |
| dpkg-dev | =1.15.8.13 | |
| dpkg-dev | =1.15.9 | |
| =1.16.0 | ||
| =1.16.0.1 | ||
| =1.16.0.2 | ||
| =1.16.0.3 | ||
| =1.16.1 | ||
| =1.16.1.1 | ||
| =1.16.1.2 | ||
| =1.16.2 | ||
| =1.16.3 | ||
| =1.16.4 | ||
| =1.16.4.1 | ||
| =1.16.4.2 | ||
| =1.16.4.3 | ||
| =1.16.5 | ||
| =1.16.6 | ||
| =1.16.7 | ||
| =1.16.8 | ||
| =1.16.9 | ||
| =1.16.10 | ||
| =1.16.11 | ||
| =1.16.12 | ||
| =1.17.0 | ||
| =1.17.1 | ||
| =1.17.2 | ||
| =1.17.3 | ||
| =1.17.4 | ||
| =1.17.5 | ||
| =1.17.6 | ||
| =1.17.7 | ||
| =1.17.8 | ||
| =1.15.0 | ||
| =1.15.1 | ||
| =1.15.2 | ||
| =1.15.3 | ||
| =1.15.3.1 | ||
| =1.15.4 | ||
| =1.15.4.1 | ||
| =1.15.5 | ||
| =1.15.5.1 | ||
| =1.15.5.2 | ||
| =1.15.5.3 | ||
| =1.15.5.4 | ||
| =1.15.5.5 | ||
| =1.15.5.6 | ||
| =1.15.6 | ||
| =1.15.6.1 | ||
| =1.15.7 | ||
| =1.15.7.1 | ||
| =1.15.7.2 | ||
| =1.15.8 | ||
| =1.15.8.1 | ||
| =1.15.8.2 | ||
| =1.15.8.3 | ||
| =1.15.8.4 | ||
| =1.15.8.5 | ||
| =1.15.8.6 | ||
| =1.15.8.7 | ||
| =1.15.8.8 | ||
| =1.15.8.9 | ||
| =1.15.8.10 | ||
| =1.15.8.11 | ||
| =1.15.8.12 | ||
| =1.15.8.13 | ||
| =1.15.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-3127?
CVE-2014-3127 is classified as a high-severity vulnerability due to its potential for causing directory traversal attacks.
How do I fix CVE-2014-3127?
To fix CVE-2014-3127, upgrade to a patched version of dpkg, specifically versions 1.16.0 or later.
What are the implications of exploiting CVE-2014-3127?
Exploiting CVE-2014-3127 can allow remote attackers to modify files outside of the intended directory structure.
Which versions of dpkg are affected by CVE-2014-3127?
Affected versions of dpkg include 1.15.9 and possibly earlier versions up to 1.16.4, which lack the security fixes.
Is CVE-2014-3127 still a threat today?
CVE-2014-3127 remains a threat for systems that have not been updated to secure versions of dpkg.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/first-publish-date
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- agent/event
- vendor/debian
- canonical/dpkg-dev
- version/dpkg-dev/1.16.0
- version/dpkg-dev/1.16.0.1
- version/dpkg-dev/1.16.0.2
- version/dpkg-dev/1.16.0.3
- version/dpkg-dev/1.16.1
- version/dpkg-dev/1.16.1.1
- version/dpkg-dev/1.16.1.2
- version/dpkg-dev/1.16.2
- version/dpkg-dev/1.16.3
- version/dpkg-dev/1.16.4
- version/dpkg-dev/1.16.4.1
- version/dpkg-dev/1.16.4.2
- version/dpkg-dev/1.16.4.3
- version/dpkg-dev/1.16.5
- version/dpkg-dev/1.16.6
- version/dpkg-dev/1.16.7
- version/dpkg-dev/1.16.8
- version/dpkg-dev/1.16.9
- version/dpkg-dev/1.16.10
- version/dpkg-dev/1.16.11
- version/dpkg-dev/1.16.12
- version/dpkg-dev/1.17.0
- version/dpkg-dev/1.17.1
- version/dpkg-dev/1.17.2
- version/dpkg-dev/1.17.3
- version/dpkg-dev/1.17.4
- version/dpkg-dev/1.17.5
- version/dpkg-dev/1.17.6
- version/dpkg-dev/1.17.7
- version/dpkg-dev/1.17.8
- version/dpkg-dev/1.15.0
- version/dpkg-dev/1.15.1
- version/dpkg-dev/1.15.2
- version/dpkg-dev/1.15.3
- version/dpkg-dev/1.15.3.1
- version/dpkg-dev/1.15.4
- version/dpkg-dev/1.15.4.1
- version/dpkg-dev/1.15.5
- version/dpkg-dev/1.15.5.1
- version/dpkg-dev/1.15.5.2
- version/dpkg-dev/1.15.5.3
- version/dpkg-dev/1.15.5.4
- version/dpkg-dev/1.15.5.5
- version/dpkg-dev/1.15.5.6
- version/dpkg-dev/1.15.6
- version/dpkg-dev/1.15.6.1
- version/dpkg-dev/1.15.7
- version/dpkg-dev/1.15.7.1
- version/dpkg-dev/1.15.7.2
- version/dpkg-dev/1.15.8
- version/dpkg-dev/1.15.8.1
- version/dpkg-dev/1.15.8.2
- version/dpkg-dev/1.15.8.3
- version/dpkg-dev/1.15.8.4
- version/dpkg-dev/1.15.8.5
- version/dpkg-dev/1.15.8.6
- version/dpkg-dev/1.15.8.7
- version/dpkg-dev/1.15.8.8
- version/dpkg-dev/1.15.8.9
- version/dpkg-dev/1.15.8.10
- version/dpkg-dev/1.15.8.11
- version/dpkg-dev/1.15.8.12
- version/dpkg-dev/1.15.8.13
- version/dpkg-dev/1.15.9