CVE-2017-8283

NameCVE-2017-8283
Descriptiondpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dpkg (PTS)wheezy1.16.18vulnerable
wheezy (security)1.16.17vulnerable
jessie1.17.27vulnerable
jessie (security)1.17.26vulnerable
buster, stretch1.18.24fixed
sid1.19.0.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dpkgsource(unstable)1.18.24unimportant

Notes

http://www.openwall.com/lists/oss-security/2017/04/20/2

Search for package or bug name: Reporting problems