Nixpkgs security tracker

Permalink CVE-2026-2219

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

It was discovered that dpkg-deb (a component of dpkg, the …

It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).

References

https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302e… patch
https://bugs.debian.org/1129722 issue-tracking

Affected products

dpkg

<1.23.6

Matching in nixpkgs

pkgs.dpkg

Debian package manager

nixos-unstable 1.23.5
- nixpkgs-unstable 1.23.5
- nixos-unstable-small 1.23.5
nixos-25.11 1.22.21
- nixos-25.11-small 1.22.21
- nixpkgs-25.11-darwin 1.22.21

Package maintainers

@siriobalmelli Sirio Balmelli <sirio@b-ad.ch>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.dpkg

Package maintainers