Dpkg Directory Permission Vulnerability in Dpkg-Deb Control Extraction

A denial-of-service vulnerability has been identified in the Debian package management tool 'dpkg-deb'. The issue arises because 'dpkg-deb' does not properly manage directory permissions when extracting control files into temporary directories. This flaw can lead to leftover temporary files after the cleanup process. The vulnerability is particularly concerning when 'dpkg-deb' is used repeatedly on malicious .deb packages or on files that compress well, and the extraction occurs in a directory where a non-root user cannot delete files. Such scenarios can cause disk quota exhaustion or fill up the disk, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability can cause disk quota exhaustion or fill up the disk, creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating a .deb package with a control member that includes well-compressible files. The package should be placed in a directory with permissions that prevent a non-root user from deleting files. When 'dpkg-deb' is used to extract the control member, the improper handling of directory permissions will result in temporary files being left behind. This can be automated to repeatedly execute 'dpkg-deb' commands, exacerbating the issue.

Remediation

Users can update to the latest version of 'dpkg' where this vulnerability has been addressed. Instructions for updating 'dpkg' can be found on the Debian website.