Bugzilla – Full Text Bug Listing
|Summary:||VUL-1: CVE-2022-1664: dpkg: dpkg -- security update|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Gabriele Sonnu <gabriele.sonnu>|
|Component:||Incidents||Assignee:||Security Team bot <security-team>|
|Status:||NEW ---||QA Contact:||Security Team bot <security-team>|
|Priority:||P4 - Low||CC:||abergmann, pgajdos, security-team|
|Found By:||Security Response Team||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Gabriele Sonnu 2022-05-26 12:59:18 UTC
Max Justicz reported a directory traversal vulnerability in Dpkg::Source::Archive in dpkg, the Debian package management system. This affects extracting untrusted source packages in the v2 and v3 source package formats that include a debian.tar. For the oldstable distribution (buster), this problem has been fixed in version 1.19.8. For the stable distribution (bullseye), this problem has been fixed in version 1.20.10. We recommend that you upgrade your dpkg packages. For the detailed security status of dpkg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dpkg References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1664 http://www.debian.org/security/-1/dsa-5147
Comment 1 Petr Gajdos 2022-05-27 09:35:45 UTC
Submitted for 15/dpkg and 12sp2/dpkg (if something is missing, let me know).
Comment 2 Petr Gajdos 2022-05-27 09:53:25 UTC
Submitted also into devel project: https://build.opensuse.org/request/show/979458
Comment 4 Petr Gajdos 2022-05-30 08:46:39 UTC
Requests were accepted.
Comment 5 Swamp Workflow Management 2022-08-05 19:17:34 UTC
SUSE-SU-2022:2689-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1199944 CVE References: CVE-2022-1664 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): update-alternatives-1.18.4-16.3.5 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Alexander Bergmann 2022-08-10 11:34:58 UTC
Analysis of the problem in regard of 'dpkg' and 'update-alternatives': The affected code is inside the Perl implementation of Dpkg::Source::Archive. So only if the Perl module is used the problem exists. The 'dpkg' command line tool on the other hand is implemented in C and does not inherit the issue in any way. The same goes for the 'update-alternatives' command line tool.