Bug 1199944 (CVE-2022-1664)

Summary: VUL-1: CVE-2022-1664: dpkg: dpkg -- security update
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, pgajdos, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/332928/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1664:4.4:(AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2022-05-26 12:59:18 UTC
Max Justicz reported a directory traversal vulnerability in
Dpkg::Source::Archive in dpkg, the Debian package management system.
This affects extracting untrusted source packages in the v2 and v3
source package formats that include a debian.tar.
For the oldstable distribution (buster), this problem has been fixed
in version 1.19.8.
For the stable distribution (bullseye), this problem has been fixed in
version 1.20.10.
We recommend that you upgrade your dpkg packages.
For the detailed security status of dpkg please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dpkg

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1664
http://www.debian.org/security/-1/dsa-5147
Comment 1 Petr Gajdos 2022-05-27 09:35:45 UTC
Submitted for 15/dpkg and 12sp2/dpkg (if something is missing, let me know).
Comment 2 Petr Gajdos 2022-05-27 09:53:25 UTC
Submitted also into devel project:
https://build.opensuse.org/request/show/979458
Comment 4 Petr Gajdos 2022-05-30 08:46:39 UTC
Requests were accepted.
Comment 5 Swamp Workflow Management 2022-08-05 19:17:34 UTC
SUSE-SU-2022:2689-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1199944
CVE References: CVE-2022-1664
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    update-alternatives-1.18.4-16.3.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Alexander Bergmann 2022-08-10 11:34:58 UTC
Analysis of the problem in regard of 'dpkg' and 'update-alternatives':

The affected code is inside the Perl implementation of Dpkg::Source::Archive. So only if the Perl module is used the problem exists.

The 'dpkg' command line tool on the other hand is implemented in C and does not inherit the issue in any way. The same goes for the 'update-alternatives' command line tool.