Bugzilla – Bug 1199944
VUL-1: CVE-2022-1664: dpkg: dpkg -- security update
Last modified: 2022-08-10 11:34:58 UTC
Max Justicz reported a directory traversal vulnerability in
Dpkg::Source::Archive in dpkg, the Debian package management system.
This affects extracting untrusted source packages in the v2 and v3
source package formats that include a debian.tar.
For the oldstable distribution (buster), this problem has been fixed
in version 1.19.8.
For the stable distribution (bullseye), this problem has been fixed in
We recommend that you upgrade your dpkg packages.
For the detailed security status of dpkg please refer to its security
tracker page at:
Submitted for 15/dpkg and 12sp2/dpkg (if something is missing, let me know).
Submitted also into devel project:
Requests were accepted.
SUSE-SU-2022:2689-1: An update that fixes one vulnerability is now available.
Category: security (low)
Bug References: 1199944
CVE References: CVE-2022-1664
SUSE Linux Enterprise Server 12-SP5 (src): update-alternatives-1.18.4-16.3.5
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Analysis of the problem in regard of 'dpkg' and 'update-alternatives':
The affected code is inside the Perl implementation of Dpkg::Source::Archive. So only if the Perl module is used the problem exists.
The 'dpkg' command line tool on the other hand is implemented in C and does not inherit the issue in any way. The same goes for the 'update-alternatives' command line tool.