Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 555
Alerts This Week
Warning Icon 1 555

Debian LTS dpkg Severe Directory Access Permissions DoS Concern DLA-4673-1

debian lts
Calendar Grey July 8, 2026
Dist Debian Esm H88
A critical security advisory discussing a DoS threat and inadequate permissions in dpkg for Debian LTS.
A vulnerability have been discovered in dpkg, the Debian package manager (dpkg is the low-level tool that actually installs or removes packages)

Summary

CVE-2025-6297

It was discovered that dpkg-deb does not properly sanitize directory
permissions when extracting a control member into a temporary
directory, which is documented as being a safe operation even on
untrusted data. This may result in leaving temporary files behind on
cleanup. Given automated and repeated execution of dpkg-deb commands
on adversarial .deb packages or with well compressible files, placed
inside a directory with permissions not allowing removal by a
non-root user, this can end up in a DoS scenario due to causing disk
quota exhaustion or disk full conditions.

Additionally, this version includes some minor security fixes that didn't
receive a CVE number, but were reported on the Debian bug tracker, see
the list of Debian bugs above.

For Debian 11 bullseye, this problem has been fixed in version
1.20.14.

We recommend that you upgrade your dpkg packages.

For the detailed security status of dpkg please refer to
its security tracker page at:

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: dpkg
Version: 1.20.14
CVE ID: CVE-2025-6297
Debian Bug: 1061404 1065575 1107971 1108192

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.