CVE-2022-1664: Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs. 1.20.10 patch: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5 1.21.8 patch: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=354a6035384dee11b2fb6a43298c1235838b6ae4 commit 354a6035384dee11b2fb6a43298c1235838b6ae4 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-01-04 08:48:32 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-01-04 08:48:32 +0000 app-arch/dpkg: stablebump, add CVE-2022-1664 patch Bug: https://bugs.gentoo.org/847976 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> .../{dpkg-1.20.9.ebuild => dpkg-1.20.9-r1.ebuild} | 3 +- .../dpkg/files/dpkg-1.20.9-CVE-2022-1664.patch | 324 +++++++++++++++++++++ 2 files changed, 326 insertions(+), 1 deletion(-)
bumped current stable, there are some bugs in current unstables, as soon as it'll be sorted out I'll file new stablereq and remove all other versions right after.
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=8dbea06fcd82915bad1507b8a173c13ee523a34f commit 8dbea06fcd82915bad1507b8a173c13ee523a34f Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-12 07:19:16 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-12 07:19:23 +0000 [ GLSA 202408-30 ] dpkg: Directory Traversal Bug: https://bugs.gentoo.org/847976 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-30.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)