Docker buildpack-deps:18.10-scm

Vulnerabilities

35 via 73 paths

Dependencies

171

Source

Group 6 Copy Created with Sketch. Docker

Target OS

ubuntu:18.10
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 10
  • 25
Status
  • 35
  • 0
  • 0

medium severity

Improper Input Validation

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc6@2.28-0ubuntu1

Overview

In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.

References

medium severity

Reachable Assertion

  • Vulnerable module: krb5/libgssapi-krb5-2
  • Introduced through: krb5/libgssapi-krb5-2@1.16-2ubuntu1.1, krb5/libk5crypto3@1.16-2ubuntu1.1 and others

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* krb5/libgssapi-krb5-2@1.16-2ubuntu1.1
  • Introduced through: buildpack-deps:18.10-scm@* krb5/libk5crypto3@1.16-2ubuntu1.1
  • Introduced through: buildpack-deps:18.10-scm@* krb5/libkrb5-3@1.16-2ubuntu1.1
  • Introduced through: buildpack-deps:18.10-scm@* krb5/libkrb5support0@1.16-2ubuntu1.1

Overview

A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

References

medium severity

Link Following

  • Vulnerable module: mercurial
  • Introduced through: mercurial@4.6.1-1ubuntu1 and mercurial/mercurial-common@4.6.1-1ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* mercurial@4.6.1-1ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* mercurial/mercurial-common@4.6.1-1ubuntu1

Overview

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: mercurial
  • Introduced through: mercurial@4.6.1-1ubuntu1 and mercurial/mercurial-common@4.6.1-1ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* mercurial@4.6.1-1ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* mercurial/mercurial-common@4.6.1-1ubuntu1

Overview

cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.

References

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: nghttp2/libnghttp2-14
  • Introduced through: nghttp2/libnghttp2-14@1.32.1-1build1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* nghttp2/libnghttp2-14@1.32.1-1build1

Overview

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

References

medium severity

Resource Exhaustion

  • Vulnerable module: nghttp2/libnghttp2-14
  • Introduced through: nghttp2/libnghttp2-14@1.32.1-1build1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* nghttp2/libnghttp2-14@1.32.1-1build1

Overview

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

References

medium severity

CRLF Injection

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.16-2~18.10, python2.7/libpython2.7-minimal@2.7.16-2~18.10 and others

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* python2.7@2.7.16-2~18.10
  • Introduced through: buildpack-deps:18.10-scm@* python2.7/libpython2.7-minimal@2.7.16-2~18.10
  • Introduced through: buildpack-deps:18.10-scm@* python2.7/libpython2.7-stdlib@2.7.16-2~18.10
  • Introduced through: buildpack-deps:18.10-scm@* python2.7/python2.7-minimal@2.7.16-2~18.10

Overview

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

References

medium severity

CRLF Injection

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.16-2~18.10, python2.7/libpython2.7-minimal@2.7.16-2~18.10 and others

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* python2.7@2.7.16-2~18.10
  • Introduced through: buildpack-deps:18.10-scm@* python2.7/libpython2.7-minimal@2.7.16-2~18.10
  • Introduced through: buildpack-deps:18.10-scm@* python2.7/libpython2.7-stdlib@2.7.16-2~18.10
  • Introduced through: buildpack-deps:18.10-scm@* python2.7/python2.7-minimal@2.7.16-2~18.10

Overview

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

References

medium severity

Improper Input Validation

  • Vulnerable module: python2.7
  • Introduced through: python2.7@2.7.16-2~18.10, python2.7/libpython2.7-minimal@2.7.16-2~18.10 and others

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* python2.7@2.7.16-2~18.10
  • Introduced through: buildpack-deps:18.10-scm@* python2.7/libpython2.7-minimal@2.7.16-2~18.10
  • Introduced through: buildpack-deps:18.10-scm@* python2.7/libpython2.7-stdlib@2.7.16-2~18.10
  • Introduced through: buildpack-deps:18.10-scm@* python2.7/python2.7-minimal@2.7.16-2~18.10

Overview

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

References

medium severity

Information Exposure

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@239-7ubuntu10.14 and systemd/libudev1@239-7ubuntu10.14

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* systemd/libsystemd0@239-7ubuntu10.14
  • Introduced through: buildpack-deps:18.10-scm@* systemd/libudev1@239-7ubuntu10.14

Overview

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

References

low severity

Improper Input Validation

  • Vulnerable module: coreutils
  • Introduced through: coreutils@8.28-1ubuntu2

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* coreutils@8.28-1ubuntu2

Overview

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

References

low severity

Directory Traversal

  • Vulnerable module: dpkg
  • Introduced through: dpkg@1.19.0.5ubuntu5

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* dpkg@1.19.0.5ubuntu5

Overview

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.

References

low severity

Improper Input Validation

  • Vulnerable module: git
  • Introduced through: git@1:2.19.1-1ubuntu1.1 and git/git-man@1:2.19.1-1ubuntu1.1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* git@1:2.19.1-1ubuntu1.1
  • Introduced through: buildpack-deps:18.10-scm@* git/git-man@1:2.19.1-1ubuntu1.1

Overview

GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).

References

low severity

Improper Input Validation

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc6@2.28-0ubuntu1

Overview

The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

References

low severity

Improper Input Validation

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc6@2.28-0ubuntu1

Overview

In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.

References

low severity

Out-of-Bounds

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc6@2.28-0ubuntu1

Overview

In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.

References

low severity

Out-of-bounds Read

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc6@2.28-0ubuntu1

Overview

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

References

low severity

Uncontrolled Recursion

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc6@2.28-0ubuntu1

Overview

** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.

References

low severity

Uncontrolled Recursion

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.28-0ubuntu1 and glibc/libc6@2.28-0ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc-bin@2.28-0ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* glibc/libc6@2.28-0ubuntu1

Overview

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

References

low severity

Information Exposure

  • Vulnerable module: gnutls28/libgnutls30
  • Introduced through: gnutls28/libgnutls30@3.6.4-2ubuntu1.2

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* gnutls28/libgnutls30@3.6.4-2ubuntu1.2

Overview

A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.

References

low severity

Key Management Errors

  • Vulnerable module: heimdal/libasn1-8-heimdal
  • Introduced through: heimdal/libasn1-8-heimdal@7.5.0+dfsg-2, heimdal/libgssapi3-heimdal@7.5.0+dfsg-2 and others

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* heimdal/libasn1-8-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-scm@* heimdal/libgssapi3-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-scm@* heimdal/libhcrypto4-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-scm@* heimdal/libheimbase1-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-scm@* heimdal/libheimntlm0-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-scm@* heimdal/libhx509-5-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-scm@* heimdal/libkrb5-26-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-scm@* heimdal/libroken18-heimdal@7.5.0+dfsg-2
  • Introduced through: buildpack-deps:18.10-scm@* heimdal/libwind0-heimdal@7.5.0+dfsg-2

Overview

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.

References

low severity

Resource Management Errors

  • Vulnerable module: libtasn1-6
  • Introduced through: libtasn1-6@4.13-3

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* libtasn1-6@4.13-3

Overview

GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.

References

low severity

Information Exposure

  • Vulnerable module: nettle/libhogweed4
  • Introduced through: nettle/libhogweed4@3.4-1 and nettle/libnettle6@3.4-1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* nettle/libhogweed4@3.4-1
  • Introduced through: buildpack-deps:18.10-scm@* nettle/libnettle6@3.4-1

Overview

A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.

References

low severity

Improper Initialization

  • Vulnerable module: openldap/libldap-2.4-2
  • Introduced through: openldap/libldap-2.4-2@2.4.46+dfsg-5ubuntu1.2 and openldap/libldap-common@2.4.46+dfsg-5ubuntu1.2

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* openldap/libldap-2.4-2@2.4.46+dfsg-5ubuntu1.2
  • Introduced through: buildpack-deps:18.10-scm@* openldap/libldap-common@2.4.46+dfsg-5ubuntu1.2

Overview

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript.

References

low severity

Inappropriate Encoding for Output Context

  • Vulnerable module: openssh/openssh-client
  • Introduced through: openssh/openssh-client@1:7.7p1-4ubuntu0.3

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* openssh/openssh-client@1:7.7p1-4ubuntu0.3

Overview

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

References

low severity

Information Exposure

  • Vulnerable module: openssh/openssh-client
  • Introduced through: openssh/openssh-client@1:7.7p1-4ubuntu0.3

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* openssh/openssh-client@1:7.7p1-4ubuntu0.3

Overview

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

References

low severity

Cryptographic Issues

  • Vulnerable module: openssl
  • Introduced through: openssl@1.1.1-1ubuntu2.2 and openssl/libssl1.1@1.1.1-1ubuntu2.2

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* openssl@1.1.1-1ubuntu2.2
  • Introduced through: buildpack-deps:18.10-scm@* openssl/libssl1.1@1.1.1-1ubuntu2.2

Overview

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).

References

low severity

Out-of-Bounds

  • Vulnerable module: pcre3/libpcre3
  • Introduced through: pcre3/libpcre3@2:8.39-12~18.10

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* pcre3/libpcre3@2:8.39-12~18.10

Overview

Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.

References

low severity

Out-of-Bounds

  • Vulnerable module: pcre3/libpcre3
  • Introduced through: pcre3/libpcre3@2:8.39-12~18.10

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* pcre3/libpcre3@2:8.39-12~18.10

Overview

Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.

References

low severity

Incorrect Permission Assignment for Critical Resource

  • Vulnerable module: shadow/login
  • Introduced through: shadow/login@1:4.5-1ubuntu1 and shadow/passwd@1:4.5-1ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* shadow/login@1:4.5-1ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* shadow/passwd@1:4.5-1ubuntu1

Overview

An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

References

low severity

Time-of-check Time-of-use (TOCTOU)

  • Vulnerable module: shadow/login
  • Introduced through: shadow/login@1:4.5-1ubuntu1 and shadow/passwd@1:4.5-1ubuntu1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* shadow/login@1:4.5-1ubuntu1
  • Introduced through: buildpack-deps:18.10-scm@* shadow/passwd@1:4.5-1ubuntu1

Overview

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

References

low severity

Out-of-bounds Write

  • Vulnerable module: sqlite3/libsqlite3-0
  • Introduced through: sqlite3/libsqlite3-0@3.24.0-1ubuntu0.1

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* sqlite3/libsqlite3-0@3.24.0-1ubuntu0.1

Overview

Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

References

low severity

Incorrect Privilege Assignment

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@239-7ubuntu10.14 and systemd/libudev1@239-7ubuntu10.14

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* systemd/libsystemd0@239-7ubuntu10.14
  • Introduced through: buildpack-deps:18.10-scm@* systemd/libudev1@239-7ubuntu10.14

Overview

It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.

References

low severity

Privilege Chaining

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@239-7ubuntu10.14 and systemd/libudev1@239-7ubuntu10.14

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* systemd/libsystemd0@239-7ubuntu10.14
  • Introduced through: buildpack-deps:18.10-scm@* systemd/libudev1@239-7ubuntu10.14

Overview

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.

References

low severity

Loop with Unreachable Exit Condition ('Infinite Loop')

  • Vulnerable module: tar
  • Introduced through: tar@1.30+dfsg-2

Detailed paths

  • Introduced through: buildpack-deps:18.10-scm@* tar@1.30+dfsg-2

Overview

GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).

References