Explore top 10 tips to secure your open-source projects now. Read More
×
CVE-2025-6297
It was discovered that dpkg-deb does not properly sanitize directory
permissions when extracting a control member into a temporary
directory, which is documented as being a safe operation even on
untrusted data. This may result in leaving temporary files behind on
cleanup. Given automated and repeated execution of dpkg-deb commands
on adversarial .deb packages or with well compressible files, placed
inside a directory with permissions not allowing removal by a
non-root user, this can end up in a DoS scenario due to causing disk
quota exhaustion or disk full conditions.
Additionally, this version includes some minor security fixes that didn't
receive a CVE number, but were reported on the Debian bug tracker, see
the list of Debian bugs above.
For Debian 11 bullseye, this problem has been fixed in version
1.20.14.
We recommend that you upgrade your dpkg packages.
For the detailed security status of dpkg please refer to
its security tracker page at:
Get the latest Linux and open source security news straight to your inbox.