Jakub Wilk discovered that the dpkg-source component of dpkg, the Debian package management system, doesn"t correctly handle paths in patches of source packages, which could make it traverse directories. Raphaël Hertzog additionally discovered that symbolic links in the .pc directory are followed, which could make it traverse directories too. Both issues only affect source packages using the "3.0 quilt" format at unpack-time.