{"id":"AZL-64641","summary":"CVE-2025-6297 affecting package dpkg 1.20.10-1","details":"It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is\ndocumented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on\nadversarial .deb packages or with well compressible files, placed\ninside a directory with permissions not allowing removal by a non-root\nuser, this can end up in a DoS scenario due to causing disk quota\nexhaustion or disk full conditions.","modified":"2026-04-21T04:32:30.047131Z","published":"2025-07-01T17:15:30Z","upstream":["CVE-2025-6297"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6297"}],"affected":[{"package":{"name":"dpkg","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/dpkg"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"1.20.10-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64641.json"}}],"schema_version":"1.7.5"}