CVE-2017-8283

Priority
Negligible
Description
dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch
program and does not offer a protection mechanism for blank-indented diff
hunks, which allows remote attackers to conduct directory traversal attacks
via a crafted Debian source package, as demonstrated by use of dpkg-source
on NetBSD.
References
Notes
 mdeslaur> This only affects operating systems that don't use GNU patch
 mdeslaur> by default, which isn't the case on Debian/Ubuntu. Setting
 mdeslaur> priority to negligible.
Package
Source: dpkg (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):needed
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 17.04 (Zesty Zapus):needed
More Information

Updated: 2017-10-17 19:14:48 UTC (commit 13537)