Debian: CVE-2022-1664:dpkg package is prone to a directory traversal vulnerability

Bug #1986486 reported by Wentao Zhang
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Wentao Zhang

Bug Description

Title
-----
CVE-2022-1664: dpkg package is prone to a directory traversal vulnerability.

Brief Description
-----------------
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

NIST is here: https://nvd.nist.gov/vuln/detail/CVE-2022-1664

Severity
--------
<Minor: System/Feature is usable with minor issue>

CVE References

Wentao Zhang (wzhang4)
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/853083

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/853083
Committed: https://opendev.org/starlingx/tools/commit/db307f0084483806b9ba37c23b665f7b270984cd
Submitter: "Zuul (22348)"
Branch: master

commit db307f0084483806b9ba37c23b665f7b270984cd
Author: Wentao Zhang <email address hidden>
Date: Mon Aug 15 10:40:17 2022 +0800

    Debian: dpkg:fix CVE-2022-1664

    Upgrade dpkg, dpkg-dev, libdpkg-perl to the version that
    CVE-2022-1664 have been fixed:

    dpkg_1.20.9_amd64.deb to dpkg_1.20.10_amd64.deb
    dpkg-dev_1.20.9_all.deb to dpkg-dev_1.20.10_all.deb
    libdpkg-perl_1.20.9_all.deb to libdpkg-perl_1.20.10_all.deb

    (Refer to https://security-tracker.debian.org/tracker/CVE-2022-1664)

    This fix provides the URL of the package in base-bullseye.lst to
    make sure that the binary package can be downloaded no matter how
    the upstream changes.

    Closes-bug: 1986486
    Signed-off-by: Wentao Zhang<email address hidden>
    Change-Id: Ie4e70e4da36f015424712459c2905f51927e20cd

Changed in starlingx:
status: In Progress → Fix Released
Wentao Zhang (wzhang4)
Changed in starlingx:
assignee: nobody → Wentao Zhang (wzhang4)
Ghada Khalil (gkhalil)
tags: added: stx.8.0 stx.security
tags: added: stx.debian
summary: - CVE-2022-1664:dpkg package is prone to a directory traversal
+ Debian: CVE-2022-1664:dpkg package is prone to a directory traversal
vulnerability
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.