CVE-2014-7206

NameCVE-2014-7206
DescriptionThe changelog command in Apt before 1.0.9.2 allows local users to write to arbitrary files via a symlink attack on the changelog file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-3048-1
Debian Bugs763780

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt (PTS)jessie, jessie (lts)1.0.9.8.7fixed
stretch (security), stretch (lts), stretch1.4.11fixed
buster1.8.2.3fixed
buster (security), buster (lts)1.8.2.2fixed
bullseye2.2.4fixed
bookworm2.6.1fixed
trixie2.9.10fixed
sid2.9.14fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aptsourcesqueeze(not affected)
aptsourcewheezy0.9.7.9+deb7u6DSA-3048-1
aptsource(unstable)1.0.9.2763780

Notes

[squeeze] - apt <not-affected> (apt changelog command and vulnerable code not present)
mitigated by Linux kernel features in wheezy and up

Search for package or bug name: Reporting problems