CVE-2014-3227

Publication date 30 May 2014

Last updated 24 July 2024

Ubuntu priority

dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with noncompliant patch programs, which triggers an interaction error that allows remote attackers to conduct directory traversal attacks and modify files outside of the intended directories via a crafted source package. NOTE: this vulnerability exists because of reliance on unrealistic constraints on the behavior of an external program.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
dpkg	14.04 LTS trusty	Fixed 1.16.12ubuntu1.2
	13.10 saucy	Fixed 1.16.7ubuntu6.2
	12.04 LTS precise	Fixed 1.16.1.2ubuntu7.4
	10.04 LTS lucid	Fixed 1.15.5.6ubuntu4.8

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
http://openwall.com/lists/oss-security/2014/05/29/16
http://openwall.com/lists/oss-security/2014/04/29/4
https://www.cve.org/CVERecord?id=CVE-2014-3227