dpkg 1.17.x before 1.17.9, 1.16.x before 1.16.14, and 1.15.x before 1.15.10 for Debian squeeze and wheezy supports C-style encoded filenames while the patch program does not, which introduces an interaction error that allows attackers to conduct directory traversal attacks and create files outside of the intended directories via a crafted package. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-0471. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3127
