Executive Summary

Summary
Title acpi-support regression update
Informations
Name DSA-2984 First vendor Publication 2014-07-22
Vendor Debian Last vendor Modification 2014-08-11
Severity (Vendor) N/A Revision 2

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 6.9 Attack Range Local
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

It was discovered that the acpi-support update for DSA-2984-1 would make a laptop's power button forcibly shut the system down, instead of triggering the configured action (usually suspend to RAM). This only affects systems using the gnome-settings-daemon.

For reference, the original advisory follows.

CESG discovered a root escalation flaw in the acpi-support package. An unprivileged user can inject the DBUS_SESSION_BUS_ADDRESS environment variable to run arbitrary commands as root user via the policy-funcs script.

For the stable distribution (wheezy), this problem has been fixed in version 0.140-5+deb7u2.

For the testing distribution (jessie), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 0.142-3.

We recommend that you upgrade your acpi-support packages.

Original Source

Url : http://www.debian.org/security/2014/dsa-2984

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-362 Race Condition

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:26072
 
Oval ID: oval:org.mitre.oval:def:26072
Title: USN-2297-1 -- acpi-support vulnerability
Description: The system could be made to run programs as an administrator.
Family: unix Class: patch
Reference(s): USN-2297-1
CVE-2014-1419
 Version: 3
Platform(s): Ubuntu 12.04
 Product(s): acpi-support
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26223
 
Oval ID: oval:org.mitre.oval:def:26223
Title: DSA-2984-1 -- acpi-support - security update
Description: CESG discovered a root escalation flaw in the acpi-support package. An unprivileged user can inject the DBUS_SESSION_BUS_ADDRESS environment variable to run arbitrary commands as root user via the policy-funcs script.
Family: unix Class: patch
Reference(s): DSA-2984-1
CVE-2014-1419
 Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
 Product(s): acpi-support
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28318
 
Oval ID: oval:org.mitre.oval:def:28318
Title: DSA-2984-2 -- acpi-support regression update
Description: CESG discovered a root escalation flaw in the acpi-support package. An unprivileged user can inject the DBUS_SESSION_BUS_ADDRESS environment variable to run arbitrary commands as root user via the policy-funcs script.
Family: unix Class: patch
Reference(s): DSA-2984-2
CVE-2014-1419
 Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
 Product(s): acpi-support
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Os 1

Nessus® Vulnerability Scanner

Date Description
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-30.nasl - Type : ACT_GATHER_INFO
2014-07-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2984.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2297-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2014-11-14 13:32:27
  • Multiple Updates
2014-08-12 00:20:32
  • Multiple Updates
2014-07-25 13:21:55
  • Multiple Updates
2014-07-24 21:29:21
  • Multiple Updates
2014-07-22 21:22:03
  • First insertion