CVE-2014-3127

2014-05-1400:00:00

ubuntu.com

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:N/I:C/A:C

EPSS

0.012

Percentile

85.3%

JSON

dpkg 1.15.9 on Debian squeeze introduces support for the “C-style encoded
filenames” feature without recognizing that the squeeze patch program lacks
this feature, which triggers an interaction error that allows remote
attackers to conduct directory traversal attacks and modify files outside
of the intended directories via a crafted source package. NOTE: this can
be considered a release engineering problem in the effort to fix
CVE-2014-0471.

Bugs

<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306>

OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchdpkg< 1.15.5.6ubuntu4.8UNKNOWN
ubuntu12.04noarchdpkg< 1.16.1.2ubuntu7.4UNKNOWN
ubuntu12.10noarchdpkg< 1.16.7ubuntu6.2UNKNOWN
ubuntu13.10noarchdpkg< 1.16.12ubuntu1.2UNKNOWN
ubuntu14.04noarchdpkg< 1.17.5ubuntu5.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	10.04	noarch	dpkg	< 1.15.5.6ubuntu4.8	UNKNOWN
ubuntu	12.04	noarch	dpkg	< 1.16.1.2ubuntu7.4	UNKNOWN
ubuntu	12.10	noarch	dpkg	< 1.16.7ubuntu6.2	UNKNOWN
ubuntu	13.10	noarch	dpkg	< 1.16.12ubuntu1.2	UNKNOWN
ubuntu	14.04	noarch	dpkg	< 1.17.5ubuntu5.2	UNKNOWN