Out-of-Bounds

Affecting file package, versions <1:5.30-1+deb9u1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream file package. See Remediation section below for Debian:9 relevant versions.

An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).

Remediation

Upgrade Debian:9 file to version 1:5.30-1+deb9u1 or higher.

References

CVSS Score

5.5
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVE
CVE-2017-1000249
CWE
CWE-119
Snyk ID
SNYK-DEBIAN9-FILE-301004
Disclosed
11 Sep, 2017
Published
11 Sep, 2017