CVE-2017-8283

Priority
Description
dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch
program and does not offer a protection mechanism for blank-indented diff
hunks, which allows remote attackers to conduct directory traversal attacks
via a crafted Debian source package, as demonstrated by use of dpkg-source
on NetBSD.
Notes
mdeslaurThis only affects operating systems that don't use GNU patch
by default, which isn't the case on Debian/Ubuntu. Setting
priority to negligible.
Package
Source: dpkg (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):ignored (reached end-of-life)
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
More Information

Updated: 2020-01-23 20:34:47 UTC (commit b4629892d998f2ede31f59bb7508dc50a92ac664)