CVE-2022-1664

Name
CVE-2022-1664
Description
Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://lists.debian.org/debian-security-announce/2022/msg00115.html
MISC https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24be
MISC https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b
MISC https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html
MISC https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5
MISC https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495
CONFIRM https://security.netapp.com/advisory/ntap-20221007-0002/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:* dpkg >= 1.21.0 < 1.21.8
cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:* dpkg >= 1.20.0 < 1.20.10
cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:* dpkg >= 1.19.0 < 1.19.8
cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:* dpkg >= 1.14.17 < 1.18.26

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
dpkg 3.16-main 1.21.8-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
dpkg 3.15-main 1.20.10-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
dpkg 3.14-main 1.20.10-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
dpkg 3.13-main 1.20.10-r0 Natanael Copa <ncopa@alpinelinux.org> fixed