CVE-2017-8283

Metadata

high
7.5
dpkg
CVE-2017-8283
cve.mitre.org, openwall.com
2017-04-26
2017-10-23 14:23
CVE-2017-8283 dpkg
2017-10-17 20:43
2017-07-20 21:33
2017-06-16 19:22
2017-06-15 17:13
2017-05-16 16:03
2017-05-10 23:54
2017-05-03 21:03
2017-04-27 20:03

Description

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
artful dpkg None
devel dpkg None
precise/esm dpkg None
trusty dpkg None
xenial dpkg None
zesty dpkg None

Unaffected

Release Package Reason
precise dpkg ignored
vivid/stable-phone-overlay dpkg ignored
vivid/ubuntu-core dpkg ignored
yakkety dpkg ignored

Needs Triage

Release Package Reason
upstream dpkg needs-triage