dpkg: Directory Traversal — GLSA 202408-30

A vulnerability has been discovered in dpkg, which allows for directory traversal.

Affected packages

app-arch/dpkg on all architectures
Affected versions < 1.20.9-r1
Unaffected versions >= 1.20.9-r1

Background

Debian package management system.

Description

Please review the CVE indentifier referenced below for details.

Impact

Dpkg::Source::Archive in dpkg, the Debian package management system, is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

Workaround

There is no known workaround at this time.

Resolution

All dpkg users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-arch/dpkg-1.20.9-r1"
 

References

Release date
August 12, 2024

Latest revision
August 12, 2024: 1

Severity
normal

Exploitable
local

Bugzilla entries