CVE-2022-1664: directory traversal for in-place extracts with untrusted v2 and v3 source packages with debian.tar
First published: Thu May 26 2022(Updated: )
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian dpkg | >=1.14.17<1.18.26 | |
| Debian dpkg | >=1.19.0<1.19.8 | |
| Debian dpkg | >=1.20.0<1.20.10 | |
| Debian dpkg | >=1.21.0<1.21.8 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| NetApp ONTAP Select Deploy administration utility |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495
- https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5
- https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b
- https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24be
- https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html
- https://lists.debian.org/debian-security-announce/2022/msg00115.html
- https://security.netapp.com/advisory/ntap-20221007-0002/
Frequently Asked Questions
What is CVE-2022-1664?
CVE-2022-1664 is a directory traversal vulnerability in dpkg, the Debian package management system.
What is the severity of CVE-2022-1664?
CVE-2022-1664 has a severity rating of 9.8 (Critical).
Which versions of dpkg are affected by CVE-2022-1664?
Versions 1.14.17 to 1.21.8 of dpkg are affected by CVE-2022-1664.
How can I fix CVE-2022-1664?
To fix CVE-2022-1664, update dpkg to version 1.21.8, 1.20.10, 1.19.8, or 1.18.26.
Are there any references for CVE-2022-1664?
Yes, you can find references for CVE-2022-1664 [here](https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495), [here](https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5), and [here](https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b).
- collector/nvd-index
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/tags
- agent/title
- agent/first-publish-date
- agent/last-modified-date
- agent/description
- agent/event
- vendor/debian
- canonical/debian dpkg
- version/debian dpkg/1.14.17
- version/debian dpkg/1.19.0
- version/debian dpkg/1.20.0
- version/debian dpkg/1.21.0
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/netapp
- canonical/netapp ontap select deploy administration utility