Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 556
Alerts This Week
Warning Icon 1 556

Arch Linux ASA-202103-21 High: dotnet-sdk Remote Code Execution Advisory

Archlinux Large Esm H446
The package dotnet-sdk before version 5.0.4.sdk104-1 is vulnerable to arbitrary code execution.
Arch Linux Security Advisory ASA-202103-21
=========================================
Severity: High
Date    : 2021-03-25
CVE-ID  : CVE-2021-26701
Package : dotnet-sdk
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1698

Summary
======
The package dotnet-sdk before version 5.0.4.sdk104-1 is vulnerable to
arbitrary code execution.

Resolution
=========
Upgrade to 5.0.4.sdk104-1.

# pacman -Syu "dotnet-sdk>=5.0.4.sdk104-1"

The problem has been fixed upstream in version 5.0.4.sdk104.

Workaround
=========
None.

Description
==========
A remote code execution vulnerability exists in .NET 5.0 before Runtime
5.0.4 and SDK 5.0.104 as well as .NET Core 3.1 before Runtime 3.1.13
and SDK 3.1.113 due to how text encoding is performed in the
System.Text.Encodings.Web package, caused by a buffer overrun.

Impact
=====
An attacker can execute arbitrary code by abusing the text encoding.

References
=========
https://bugs.archlinux.org/task/69317

https://github.com/dotnet/announcements/issues/178
https://security.archlinux.org/CVE-2021-26701