CVE-2025-6297: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was discovered in dpkg-deb that does not properly sanitize directory permissions when extracting a control member into a temporary directory. This operation is documented as being safe even on untrusted data. The vulnerability was discovered in July 2025 and affects the dpkg package management system (DPKG Commit).

The vulnerability stems from the cleanup code not sanitizing directory permissions during the extraction of control members into temporary directories. The issue has been present since the initial commit introducing dpkg-deb in C. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. It is categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-732 (Incorrect Permission Assignment for Critical Resource) (NVD Database).

When exploited, this vulnerability can result in leaving temporary files behind during cleanup operations. In scenarios involving automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well-compressible files placed inside a directory with permissions not allowing removal by a non-root user, this can lead to a denial of service (DoS) condition through disk quota exhaustion or disk full conditions (DPKG Commit).

A fix has been implemented that involves adding proper directory permission sanitization during the cleanup process. The fix includes a new function cuinfotreewalkfixupdir that ensures proper permissions (0755) are set on directories before cleanup. This patch has been marked as a stable candidate for versions 1.20.x, 1.21.x, and 1.22.x (DPKG Commit).