Alerts This Week
Warning Icon 1 687
Alerts This Week
Warning Icon 1 687

Gentoo 2016-12-04: Advisory 201612-07 Normal: Dpkg Arbitrary Code Execution

gentoo
Calendar Grey December 4, 2016
Dist Gentoo Esm H88
The Arch Linux Security Advisory ALSA 202303-01 highlights a moderate severity vulnerability in cron that may enable unauthorized privilege escalation.
A vulnerability was discovered in dpkg which could potentially lead to arbitrary code execution.

Summary

Gentoo Linux developer, Hanno Böck, discovered an off-by-one error in the dpkg-deb component of dpkg, the Debian package management system, which triggers a stack-based buffer overflow.

Topics%20covered

Topics Covered

security advisory gentoo code execution arbitrary execution dpkg

Resolution

All dpkg users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/dpkg-1.17.26"

References

[ 1 ] CVE-2015-7805 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7805

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201612-07
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: dpkg: Arbitrary code execution
Date: December 04, 2016
Bugs: #567258
ID: 201612-07

Topics%20covered

Topics Covered

security advisory gentoo code execution arbitrary execution dpkg

Synopsis

A vulnerability was discovered in dpkg which could potentially lead to arbitrary code execution.

Background

Debian package management system.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-arch/dpkg < 1.17.26 >= 1.17.26

Impact

===== An attacker could potentially execute arbitrary code if an user or an automated system were tricked into processing a specially crafted Debian binary package (.deb).

Workaround

There is no known workaround at this time.

Related News

Your message here