Skip to main content

Dpkg

9 CVEs product

Monthly

CVE-2025-6297 HIGH PATCH This Week

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

Denial Of Service Dpkg
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2022-1664 CRITICAL PATCH Act Now

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Debian Path Traversal Dpkg Debian Linux Ontap Select Deploy Administration Utility
NVD
CVSS 3.1
9.8
EPSS
2.9%
CVE-2017-8283 CRITICAL PATCH Act Now

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Debian Dpkg
NVD
CVSS 3.0
9.8
EPSS
1.1%
CVE-2015-0860 HIGH This Week

Off-by-one error in the extracthalf function in dpkg-deb/extract.c in the dpkg-deb component in Debian dpkg 1.16.x before 1.16.17 and 1.17.x before 1.17.26 allows remote attackers to execute. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Debian RCE Buffer Overflow Ubuntu Linux Dpkg
NVD
CVSS 2.0
7.5
EPSS
4.9%
CVE-2015-0840 MEDIUM PATCH This Month

The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Debian Authentication Bypass Dpkg Ubuntu Linux
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2014-8625 MEDIUM POC This Month

Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE Denial Of Service Dpkg
NVD
CVSS 2.0
6.8
EPSS
2.5%
CVE-2014-3227 MEDIUM This Month

dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Dpkg
NVD
CVSS 2.0
6.4
EPSS
0.6%
CVE-2014-3127 HIGH This Week

dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Path Traversal Debian Dpkg
NVD
CVSS 2.0
7.1
EPSS
0.8%
CVE-2014-0471 MEDIUM This Month

Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Dpkg Ubuntu Linux
NVD VulDB
CVSS 2.0
5.0
EPSS
0.2%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

Denial Of Service Dpkg
NVD VulDB
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Debian Path Traversal Dpkg +2
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Debian Dpkg
NVD
EPSS 5% CVSS 7.5
HIGH This Week

Off-by-one error in the extracthalf function in dpkg-deb/extract.c in the dpkg-deb component in Debian dpkg 1.16.x before 1.16.17 and 1.17.x before 1.17.26 allows remote attackers to execute. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Debian RCE Buffer Overflow +2
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Debian Authentication Bypass Dpkg +1
NVD
EPSS 2% CVSS 6.8
MEDIUM POC This Month

Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE Denial Of Service Dpkg
NVD
EPSS 1% CVSS 6.4
MEDIUM This Month

dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Dpkg
NVD
EPSS 1% CVSS 7.1
HIGH This Week

dpkg 1.15.9 on Debian squeeze introduces support for the "C-style encoded filenames" feature without recognizing that the squeeze patch program lacks this feature, which triggers an interaction error. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Path Traversal Debian Dpkg
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Dpkg Ubuntu Linux
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy