VYPR

Dpkg

by Debian

CVEs (14)

  • CVE-2017-8283CriApr 26, 2017
    risk 0.64cvss 9.8epss 0.05

    dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by…

  • CVE-2026-2219HigMar 7, 2026
    risk 0.49cvss 7.5epss 0.00

    It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

  • CVE-2025-6297Jul 1, 2025
    risk 0.00cvss epss 0.00

    It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given…

  • CVE-2022-1664May 26, 2022
    risk 0.00cvss epss 0.03

    Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the…

  • CVE-2015-0860Dec 3, 2015
    risk 0.00cvss epss 0.05

    Off-by-one error in the extracthalf function in dpkg-deb/extract.c in the dpkg-deb component in Debian dpkg 1.16.x before 1.16.17 and 1.17.x before 1.17.26 allows remote attackers to execute arbitrary code via the archive magic version number in an "old-style" Debian binary…

  • CVE-2015-0840Apr 13, 2015
    risk 0.00cvss epss 0.02

    The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc).

  • CVE-2014-8625Jan 20, 2015
    risk 0.00cvss epss 0.03

    Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name.

  • CVE-2014-3227May 30, 2014
    risk 0.00cvss epss 0.02

    dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with noncompliant patch programs, which triggers an interaction error that allows…

  • CVE-2014-3127May 14, 2014
    risk 0.00cvss epss 0.02

    dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify…

  • CVE-2014-0471Apr 30, 2014
    risk 0.00cvss epss 0.03

    Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting."

  • CVE-2011-0402Jan 11, 2011
    risk 0.00cvss epss 0.03

    dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted remote attackers to modify arbitrary files via a symlink attack on unspecified files in the .pc directory.

  • CVE-2010-1679Jan 11, 2011
    risk 0.00cvss epss 0.03

    Directory traversal vulnerability in dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted remote attackers to modify arbitrary files via directory traversal sequences in a patch for a source-format 3.0 package.

  • CVE-2004-2768Jun 8, 2010
    risk 0.00cvss epss 0.00

    dpkg 1.9.21 does not properly reset the metadata of a file during replacement of the file in a package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid file, (2) setgid file, or (3) device, a related issue to…

  • CVE-2010-0396Mar 15, 2010
    risk 0.00cvss epss 0.02

    Directory traversal vulnerability in the dpkg-source component in dpkg before 1.14.29 allows remote attackers to modify arbitrary files via a crafted Debian source archive.