Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
| Informations | |||
|---|---|---|---|
| Name | CVE-2009-4015 | First vendor Publication | 2010-02-02 |
| Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allows remote attackers to execute arbitrary commands via shell metacharacters in filename arguments. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4015 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:12572 | |||
| Oval ID: | oval:org.mitre.oval:def:12572 | ||
| Title: | USN-891-1 -- lintian vulnerabilities | ||
| Description: | It was discovered that lintian did not correctly validate certain filenames when processing input. If a user or an automated system were tricked into running lintian on a specially crafted set of files, a remote attacker could execute arbitrary code with user privileges. | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-891-1 CVE-2009-4013 CVE-2009-4014 CVE-2009-4015 | Version: | 7 |
| Platform(s): | Ubuntu 8.04 Ubuntu 8.10 Ubuntu 9.10 Ubuntu 6.06 Ubuntu 9.04 | Product(s): | lintian |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:13615 | |||
| Oval ID: | oval:org.mitre.oval:def:13615 | ||
| Title: | DSA-1979-1 lintian -- multiple | ||
| Description: | Multiple vulnerabilities have been discovered in lintian, a Debian package checker. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them: CVE-2009-4013: missing control files sanitation Control field names and values were not sanitised before using them in certain operations that could lead to directory traversals. Patch systems" control files were not sanitised before using them in certain operations that could lead to directory traversals. An attacker could exploit these vulnerabilities to overwrite arbitrary files or disclose system information. CVE-2009-4014: format string vulnerabilities Multiple check scripts and the Lintian::Schedule module were using user-provided input as part of the sprintf/printf format string. CVE-2009-4015: arbitrary command execution File names were not properly escaped when passing them as arguments to certain commands, allowing the execution of other commands as pipes or as a set of shell commands. For the oldstable distribution, these problems have been fixed in version 1.23.28+etch1. For the stable distribution, these problems have been fixed in version 1.24.2.1+lenny1. For the testing distribution, these problems will be fixed soon. For the unstable distribution, these problems have been fixed in version 2.3.2 We recommend that you upgrade your lintian packages. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1979-1 CVE-2009-4013 CVE-2009-4014 CVE-2009-4015 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | lintian |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:7013 | |||
| Oval ID: | oval:org.mitre.oval:def:7013 | ||
| Title: | DSA-1979 lintian -- multiple vulnerabilities | ||
| Description: | Multiple vulnerabilities have been discovered in lintian, a Debian package checker. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them: Control field names and values were not sanitised before using them in certain operations that could lead to directory traversals. Patch systems" control files were not sanitised before using them in certain operations that could lead to directory traversals. An attacker could exploit these vulnerabilities to overwrite arbitrary files or disclose system information. Multiple check scripts and the Lintian::Schedule module were using user-provided input as part of the sprintf/printf format string. File names were not properly escaped when passing them as arguments to certain commands, allowing the execution of other commands as pipes or as a set of shell commands. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1979 CVE-2009-4013 CVE-2009-4014 CVE-2009-4015 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | lintian |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2010-01-29 | Name : Ubuntu Update for lintian vulnerabilities USN-891-1 File : nvt/gb_ubuntu_USN_891_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 62127 | Lintian Filename Shell Metacharacter Arbitrary Command Execution |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1979.nasl - Type : ACT_GATHER_INFO |
| 2010-01-28 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-891-1.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2024-11-28 23:09:28 |
|
| 2024-11-28 12:20:14 |
|
| 2023-11-07 21:47:37 |
|
| 2021-05-04 12:10:29 |
|
| 2021-04-22 01:10:56 |
|
| 2020-05-23 00:24:36 |
|
| 2016-04-26 19:15:56 |
|
| 2014-02-17 10:52:24 |
|
| 2013-05-11 00:00:58 |
|
