CVE-2020-27350 apt integer wraparound

2020-12-1004:05:18

CWE-190

canonical

www.cve.org

cve-2020-27350

integer wraparound

apt

integer overflow

parsing .deb packages

CVSS3

5.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

17.6%

JSON

APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;

CNA Affected

[
  {
    "product": "apt",
    "vendor": "Canonical",
    "versions": [
      {
        "lessThan": "1.2.32ubuntu0.2",
        "status": "affected",
        "version": "1.2.32ubuntu0",
        "versionType": "custom"
      },
      {
        "lessThan": "1.6.12ubuntu0.2",
        "status": "affected",
        "version": "1.6.12ubuntu0",
        "versionType": "custom"
      },
      {
        "lessThan": "2.0.2ubuntu0.2",
        "status": "affected",
        "version": "2.0.2ubuntu0",
        "versionType": "custom"
      },
      {
        "lessThan": "2.1.10ubuntu0.1",
        "status": "affected",
        "version": "2.1.10ubuntu0",
        "versionType": "custom"
      }
    ]
  }
]