CVE-2014-3227: Path Traversal
First published: Fri May 30 2014(Updated: )
dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with noncompliant patch programs, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this vulnerability exists because of reliance on unrealistic constraints on the behavior of an external program.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| dpkg-dev | =1.15.9 | |
| dpkg-dev | =1.16.0 | |
| dpkg-dev | =1.16.0.1 | |
| dpkg-dev | =1.16.0.2 | |
| dpkg-dev | =1.16.0.3 | |
| dpkg-dev | =1.16.1 | |
| dpkg-dev | =1.16.1.1 | |
| dpkg-dev | =1.16.1.2 | |
| dpkg-dev | =1.16.2 | |
| dpkg-dev | =1.16.3 | |
| dpkg-dev | =1.16.4 | |
| dpkg-dev | =1.16.4.1 | |
| dpkg-dev | =1.16.4.2 | |
| dpkg-dev | =1.16.4.3 | |
| dpkg-dev | =1.16.5 | |
| dpkg-dev | =1.16.6 | |
| dpkg-dev | =1.16.7 | |
| dpkg-dev | =1.16.8 | |
| dpkg-dev | =1.16.9 | |
| dpkg-dev | =1.16.10 | |
| dpkg-dev | =1.16.11 | |
| dpkg-dev | =1.16.12 | |
| dpkg-dev | =1.17.0 | |
| dpkg-dev | =1.17.1 | |
| dpkg-dev | =1.17.2 | |
| dpkg-dev | =1.17.3 | |
| dpkg-dev | =1.17.4 | |
| dpkg-dev | =1.17.5 | |
| dpkg-dev | =1.17.6 | |
| dpkg-dev | =1.17.7 | |
| dpkg-dev | =1.17.8 | |
| =1.15.9 | ||
| =1.16.0 | ||
| =1.16.0.1 | ||
| =1.16.0.2 | ||
| =1.16.0.3 | ||
| =1.16.1 | ||
| =1.16.1.1 | ||
| =1.16.1.2 | ||
| =1.16.2 | ||
| =1.16.3 | ||
| =1.16.4 | ||
| =1.16.4.1 | ||
| =1.16.4.2 | ||
| =1.16.4.3 | ||
| =1.16.5 | ||
| =1.16.6 | ||
| =1.16.7 | ||
| =1.16.8 | ||
| =1.16.9 | ||
| =1.16.10 | ||
| =1.16.11 | ||
| =1.16.12 | ||
| =1.17.0 | ||
| =1.17.1 | ||
| =1.17.2 | ||
| =1.17.3 | ||
| =1.17.4 | ||
| =1.17.5 | ||
| =1.17.6 | ||
| =1.17.7 | ||
| =1.17.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-3227?
CVE-2014-3227 is classified as a medium severity vulnerability.
How do I fix CVE-2014-3227?
To fix CVE-2014-3227, upgrade to dpkg version 1.16.14 or later.
What systems are affected by CVE-2014-3227?
CVE-2014-3227 affects Debian dpkg versions 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9.
What type of attack does CVE-2014-3227 allow?
CVE-2014-3227 allows remote attackers to execute arbitrary commands through malformed patch files.
Is CVE-2014-3227 still a risk in newer versions of dpkg?
No, CVE-2014-3227 has been patched in dpkg versions 1.16.14 and later.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/debian
- canonical/dpkg-dev
- version/dpkg-dev/1.15.9
- version/dpkg-dev/1.16.0
- version/dpkg-dev/1.16.0.1
- version/dpkg-dev/1.16.0.2
- version/dpkg-dev/1.16.0.3
- version/dpkg-dev/1.16.1
- version/dpkg-dev/1.16.1.1
- version/dpkg-dev/1.16.1.2
- version/dpkg-dev/1.16.2
- version/dpkg-dev/1.16.3
- version/dpkg-dev/1.16.4
- version/dpkg-dev/1.16.4.1
- version/dpkg-dev/1.16.4.2
- version/dpkg-dev/1.16.4.3
- version/dpkg-dev/1.16.5
- version/dpkg-dev/1.16.6
- version/dpkg-dev/1.16.7
- version/dpkg-dev/1.16.8
- version/dpkg-dev/1.16.9
- version/dpkg-dev/1.16.10
- version/dpkg-dev/1.16.11
- version/dpkg-dev/1.16.12
- version/dpkg-dev/1.17.0
- version/dpkg-dev/1.17.1
- version/dpkg-dev/1.17.2
- version/dpkg-dev/1.17.3
- version/dpkg-dev/1.17.4
- version/dpkg-dev/1.17.5
- version/dpkg-dev/1.17.6
- version/dpkg-dev/1.17.7
- version/dpkg-dev/1.17.8