Bug 1199944 - (CVE-2022-1664) VUL-1: CVE-2022-1664: dpkg: dpkg -- security update
VUL-1: CVE-2022-1664: dpkg: dpkg -- security update
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-05-26 12:59 UTC by Gabriele Sonnu
Modified: 2022-08-10 11:34 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2022-05-26 12:59:18 UTC
Max Justicz reported a directory traversal vulnerability in
Dpkg::Source::Archive in dpkg, the Debian package management system.
This affects extracting untrusted source packages in the v2 and v3
source package formats that include a debian.tar.
For the oldstable distribution (buster), this problem has been fixed
in version 1.19.8.
For the stable distribution (bullseye), this problem has been fixed in
version 1.20.10.
We recommend that you upgrade your dpkg packages.
For the detailed security status of dpkg please refer to its security
tracker page at:

Comment 1 Petr Gajdos 2022-05-27 09:35:45 UTC
Submitted for 15/dpkg and 12sp2/dpkg (if something is missing, let me know).
Comment 2 Petr Gajdos 2022-05-27 09:53:25 UTC
Submitted also into devel project:
Comment 4 Petr Gajdos 2022-05-30 08:46:39 UTC
Requests were accepted.
Comment 5 Swamp Workflow Management 2022-08-05 19:17:34 UTC
SUSE-SU-2022:2689-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1199944
CVE References: CVE-2022-1664
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    update-alternatives-1.18.4-16.3.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Alexander Bergmann 2022-08-10 11:34:58 UTC
Analysis of the problem in regard of 'dpkg' and 'update-alternatives':

The affected code is inside the Perl implementation of Dpkg::Source::Archive. So only if the Perl module is used the problem exists.

The 'dpkg' command line tool on the other hand is implemented in C and does not inherit the issue in any way. The same goes for the 'update-alternatives' command line tool.