CVE-2022-1664: Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs. 1.20.10 patch: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5 1.21.8 patch: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=354a6035384dee11b2fb6a43298c1235838b6ae4 commit 354a6035384dee11b2fb6a43298c1235838b6ae4 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-01-04 08:48:32 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-01-04 08:48:32 +0000 app-arch/dpkg: stablebump, add CVE-2022-1664 patch Bug: https://bugs.gentoo.org/847976 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> .../{dpkg-1.20.9.ebuild => dpkg-1.20.9-r1.ebuild} | 3 +- .../dpkg/files/dpkg-1.20.9-CVE-2022-1664.patch | 324 +++++++++++++++++++++ 2 files changed, 326 insertions(+), 1 deletion(-)
bumped current stable, there are some bugs in current unstables, as soon as it'll be sorted out I'll file new stablereq and remove all other versions right after.
Thanks!