Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title dpkg: Arbitrary code execution
Informations
Name GLSA-201612-07 First vendor Publication 2016-12-04
Vendor Gentoo Last vendor Modification 2016-12-04
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A vulnerability was discovered in dpkg which could potentially lead to arbitrary code execution.

Background

Debian package management system.

Description

Gentoo Linux developer, Hanno Böck, discovered an off-by-one error in the dpkg-deb component of dpkg, the Debian package management system, which triggers a stack-based buffer overflow.

Impact

An attacker could potentially execute arbitrary code if an user or an automated system were tricked into processing a specially crafted Debian binary package (.deb).

Workaround

There is no known workaround at this time.

Resolution

All dpkg users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/dpkg-1.17.26"

References

[ 1 ] CVE-2015-7805
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7805

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

https://security.gentoo.org/glsa/201612-07

Original Source

Url : http://security.gentoo.org/glsa/glsa-201612-07.xml

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-189 Numeric Errors (CWE/SANS Top 25)
50 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 48
Application 1
Os 4
Os 2

Nessus® Vulnerability Scanner

Date Description
2017-10-18 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2017-1244.nasl - Type : ACT_GATHER_INFO
2017-10-18 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2017-1243.nasl - Type : ACT_GATHER_INFO
2017-05-09 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2017-549.nasl - Type : ACT_GATHER_INFO
2017-05-01 Name : The remote Debian host is missing a security update.
File : debian_DLA-928.nasl - Type : ACT_GATHER_INFO
2017-04-25 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2017-1096-1.nasl - Type : ACT_GATHER_INFO
2016-12-07 Name : The remote Fedora host is missing a security update.
File : fedora_2016-5608472a90.nasl - Type : ACT_GATHER_INFO
2016-12-07 Name : The remote Fedora host is missing a security update.
File : fedora_2016-10ec03ed27.nasl - Type : ACT_GATHER_INFO
2016-12-06 Name : The remote Fedora host is missing a security update.
File : fedora_2016-0918477a60.nasl - Type : ACT_GATHER_INFO
2016-12-05 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201612-07.nasl - Type : ACT_GATHER_INFO
2016-12-05 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201612-03.nasl - Type : ACT_GATHER_INFO
2016-03-04 Name : The remote Fedora host is missing a security update.
File : fedora_2015-56be43eae6.nasl - Type : ACT_GATHER_INFO
2016-03-04 Name : The remote Fedora host is missing a security update.
File : fedora_2015-71b291686c.nasl - Type : ACT_GATHER_INFO
2016-03-04 Name : The remote Fedora host is missing a security update.
File : fedora_2015-5afed1aad2.nasl - Type : ACT_GATHER_INFO
2016-03-04 Name : The remote Fedora host is missing a security update.
File : fedora_2015-0f405832d3.nasl - Type : ACT_GATHER_INFO
2016-03-04 Name : The remote Fedora host is missing a security update.
File : fedora_2015-0be7a2e1b8.nasl - Type : ACT_GATHER_INFO
2016-02-09 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2016-039-02.nasl - Type : ACT_GATHER_INFO
2015-12-29 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2015-2000-2.nasl - Type : ACT_GATHER_INFO
2015-12-29 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_876768aaab1e11e58a305453ed2e2b49.nasl - Type : ACT_GATHER_INFO
2015-12-08 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2832-1.nasl - Type : ACT_GATHER_INFO
2015-12-01 Name : The remote Debian host is missing a security update.
File : debian_DLA-356.nasl - Type : ACT_GATHER_INFO
2015-11-30 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2820-1.nasl - Type : ACT_GATHER_INFO
2015-11-30 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2015-820.nasl - Type : ACT_GATHER_INFO
2015-11-30 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3407.nasl - Type : ACT_GATHER_INFO
2015-11-17 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2015-2000-1.nasl - Type : ACT_GATHER_INFO
2015-11-17 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2015-742.nasl - Type : ACT_GATHER_INFO
2015-11-13 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2015-1979-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2017-07-01 09:25:34
  • Multiple Updates
2016-12-06 13:26:15
  • Multiple Updates
2016-12-04 13:23:02
  • First insertion