StarlingX

Debian: CVE-2022-1664:dpkg package is prone to a directory traversal vulnerability

Bug #1986486 reported by Wentao Zhang on 2022-08-15

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Wentao Zhang

Bug Description

Title
-----
CVE-2022-1664: dpkg package is prone to a directory traversal vulnerability.

Brief Description
-----------------
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

NIST is here: https://nvd.nist.gov/vuln/detail/CVE-2022-1664

Severity
--------
<Minor: System/Feature is usable with minor issue>

Tags:

CVE References

2022-1664

Wentao Zhang (wzhang4) on 2022-08-15

information type:

Private Security → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-08-15: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/853083

Changed in starlingx:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-07: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/853083
Committed: https://opendev.org/starlingx/tools/commit/db307f0084483806b9ba37c23b665f7b270984cd
Submitter: "Zuul (22348)"
Branch: master

commit db307f0084483806b9ba37c23b665f7b270984cd
Author: Wentao Zhang <email address hidden>
Date: Mon Aug 15 10:40:17 2022 +0800

Debian: dpkg:fix CVE-2022-1664

Upgrade dpkg, dpkg-dev, libdpkg-perl to the version that
CVE-2022-1664 have been fixed:

    dpkg_1.20.9_amd64.deb to dpkg_1.20.10_amd64.deb
    dpkg-dev_1.20.9_all.deb to dpkg-dev_1.20.10_all.deb
    libdpkg-perl_1.20.9_all.deb to libdpkg-perl_1.20.10_all.deb

(Refer to https://security-tracker.debian.org/tracker/CVE-2022-1664)

    This fix provides the URL of the package in base-bullseye.lst to
    make sure that the binary package can be downloaded no matter how
    the upstream changes.

    Closes-bug: 1986486
    Signed-off-by: Wentao Zhang<email address hidden>
    Change-Id: Ie4e70e4da36f015424712459c2905f51927e20cd

Changed in starlingx:
status:	In Progress → Fix Released

Wentao Zhang (wzhang4) on 2022-09-07

Changed in starlingx:
assignee:	nobody → Wentao Zhang (wzhang4)

Ghada Khalil (gkhalil) on 2022-09-10

tags:	added: stx.8.0 stx.security
tags:	added: stx.debian
summary:	- CVE-2022-1664:dpkg package is prone to a directory traversal + Debian: CVE-2022-1664:dpkg package is prone to a directory traversal vulnerability

Ghada Khalil (gkhalil) on 2022-09-16

Changed in starlingx:
importance:	Undecided → Medium

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.