Search for packages
| purl | pkg:deb/debian/dpkg@1.20.13?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1786-vddy-dfbz
Aliases: CVE-2025-6297 |
It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1vu9-xzw9-kfe2 | zlib DoS |
CVE-2005-2096
|
| VCID-6znq-56pa-tyet | A malicious tar archive could trigger a Buffer overflow in GNU tar, potentially resulting in the execution of arbitrary code. |
CVE-2006-0300
|
| VCID-7stw-fbe7-p3am | security update |
CVE-2014-3864
|
| VCID-9vsz-8751-wkgm | security update |
CVE-2014-3127
|
| VCID-bx4a-22qt-qyg9 | security update |
CVE-2014-0471
|
| VCID-e1fu-mzvj-xydx | dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD. |
CVE-2017-8283
|
| VCID-ec4e-5j15-ekd9 | It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU). |
CVE-2026-2219
|
| VCID-g22y-46dt-syd5 | dpkg 1.9.21 does not properly reset the metadata of a file during replacement of the file in a package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid file, (2) setgid file, or (3) device, a related issue to CVE-2010-2059. |
CVE-2004-2768
|
| VCID-m1j5-hyhj-xyb4 | dpkg: path traversal issue |
CVE-2010-0396
|
| VCID-m649-my8s-eqgk | security update |
CVE-2014-3865
|
| VCID-qpz9-gs1s-ffd3 | security update |
CVE-2014-3227
|
| VCID-r8g2-smun-abgv | Directory traversal vulnerability in dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted remote attackers to modify arbitrary files via directory traversal sequences in a patch for a source-format 3.0 package. |
CVE-2010-1679
|
| VCID-strx-c9sj-9bbb | A vulnerability was discovered in dpkg which could potentially lead to arbitrary code execution. |
CVE-2015-0860
|
| VCID-uf6j-uvg9-63d6 | dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted remote attackers to modify arbitrary files via a symlink attack on unspecified files in the .pc directory. |
CVE-2011-0402
|
| VCID-umm6-cgs8-pyg3 | Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name. |
CVE-2014-8625
|
| VCID-xxdx-hfvz-tfaf | A vulnerability has been discovered in dpkg, which allows for directory traversal. |
CVE-2022-1664
|
| VCID-zypq-un6n-eugq | security update |
CVE-2015-0840
|