VulnerableCode Package Details - pkg:deb/debian/dpkg@1.22.22

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1786-vddy-dfbz	It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.	CVE-2025-6297
VCID-ec4e-5j15-ekd9	It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).	CVE-2026-2219

Vulnerability

Summary

Aliases

VCID-1786-vddy-dfbz

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

CVE-2025-6297

VCID-ec4e-5j15-ekd9

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

CVE-2026-2219

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:32:00.471266+00:00	Debian Importer	Fixing	VCID-ec4e-5j15-ekd9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:41:47.562978+00:00	Debian Importer	Fixing	VCID-1786-vddy-dfbz	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:06:37.384404+00:00	Debian Importer	Fixing	VCID-ec4e-5j15-ekd9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:50:39.473593+00:00	Debian Importer	Fixing	VCID-1786-vddy-dfbz	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-02T17:08:27.296851+00:00	Debian Importer	Fixing	VCID-ec4e-5j15-ekd9	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:02:22.107439+00:00	Debian Importer	Fixing	VCID-1786-vddy-dfbz	https://security-tracker.debian.org/tracker/data/json	38.1.0