Bugzilla – Bug 1199944
VUL-1: CVE-2022-1664: dpkg: dpkg -- security update
Last modified: 2024-04-19 11:15:12 UTC
Max Justicz reported a directory traversal vulnerability in Dpkg::Source::Archive in dpkg, the Debian package management system. This affects extracting untrusted source packages in the v2 and v3 source package formats that include a debian.tar. For the oldstable distribution (buster), this problem has been fixed in version 1.19.8. For the stable distribution (bullseye), this problem has been fixed in version 1.20.10. We recommend that you upgrade your dpkg packages. For the detailed security status of dpkg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dpkg References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1664 http://www.debian.org/security/-1/dsa-5147
Submitted for 15/dpkg and 12sp2/dpkg (if something is missing, let me know).
Submitted also into devel project: https://build.opensuse.org/request/show/979458
Requests were accepted.
SUSE-SU-2022:2689-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1199944 CVE References: CVE-2022-1664 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): update-alternatives-1.18.4-16.3.5 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Analysis of the problem in regard of 'dpkg' and 'update-alternatives': The affected code is inside the Perl implementation of Dpkg::Source::Archive. So only if the Perl module is used the problem exists. The 'dpkg' command line tool on the other hand is implemented in C and does not inherit the issue in any way. The same goes for the 'update-alternatives' command line tool.
What is the bugzilla number for the SLES 15 fix?
hi, this is the same bug. the sles15 fix had various unrelated QA troubles, but these should be resolved soon.
SUSE-SU-2022:4081-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1199944 CVE References: CVE-2022-1664 JIRA References: Sources used: openSUSE Leap Micro 5.3 (src): update-alternatives-1.19.0.4-150000.4.4.1 openSUSE Leap Micro 5.2 (src): update-alternatives-1.19.0.4-150000.4.4.1 openSUSE Leap 15.4 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 openSUSE Leap 15.3 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Manager Server 4.1 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Manager Retail Branch Server 4.1 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Manager Proxy 4.1 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Server for SAP 15 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Server 15-LTSS (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): dpkg-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): dpkg-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Micro 5.3 (src): update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Micro 5.2 (src): update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise Micro 5.1 (src): update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Enterprise Storage 7 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE Enterprise Storage 6 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 SUSE CaaS Platform 4.0 (src): dpkg-1.19.0.4-150000.4.4.1, update-alternatives-1.19.0.4-150000.4.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done