Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2020-27350

HistoryDec 10, 2020 - 4:15 a.m.

CVE-2020-27350

2020-12-1004:15:11

Debian Security Bug Tracker

security-tracker.debian.org

apt

integer overflows

.deb packages

parsing

ghsl-2020-168

ghsl-2020-169

extracttar.cc

debfile.cc

arfile.cc

unix

cve-2020-27350

security vulnerability

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

5.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

EPSS

0.001

Percentile

17.6%

JSON

APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;

OSVersionArchitecturePackageVersionFilename
Debian12allapt< 2.1.13apt_2.1.13_all.deb
Debian11allapt< 2.1.13apt_2.1.13_all.deb
Debian999allapt< 2.1.13apt_2.1.13_all.deb
Debian13allapt< 2.1.13apt_2.1.13_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	apt	< 2.1.13	apt_2.1.13_all.deb
Debian	11	all	apt	< 2.1.13	apt_2.1.13_all.deb
Debian	999	all	apt	< 2.1.13	apt_2.1.13_all.deb
Debian	13	all	apt	< 2.1.13	apt_2.1.13_all.deb