DebianDEBIAN:DSA-3889-1:9495F[SECURITY] [DSA 3889-1] libffi security update
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
22.7%
Debian Security Advisory DSA-3889-1 [email protected]
https://www.debian.org/security/ Yves-Alexis Perez
June 19, 2017 https://www.debian.org/security/faq
Package : libffi
CVE ID : CVE-2017-1000376
Debian Bug : 751907
libffi, a library used to call code written in one language from code written
in a different language, was enforcing an executable stack on the i386
architecture. While this might not be considered a vulnerability by itself,
this could be leveraged when exploiting other vulnerabilities, like for example
the "stack clash" class of vulnerabilities discovered by Qualys Research Labs.
For the full details, please refer to their advisory published at:
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
For the oldstable distribution (jessie), this problem has been fixed
in version 3.1-2+deb8u1.
For the stable distribution (stretch), this problem has been fixed in
version 3.2.1-4.
For the testing distribution (buster), this problem has been fixed
in version 3.2.1-4.
For the unstable distribution (sid), this problem has been fixed in
version 3.2.1-4.
We recommend that you upgrade your libffi packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 8 | mips | libffi6-udeb | < 3.1-2+deb8u1 | libffi6-udeb_3.1-2+deb8u1_mips.deb |
| Debian | 8 | arm64 | libffi6-udeb | < 3.1-2+deb8u1 | libffi6-udeb_3.1-2+deb8u1_arm64.deb |
| Debian | 8 | armhf | libffi6-udeb | < 3.1-2+deb8u1 | libffi6-udeb_3.1-2+deb8u1_armhf.deb |
| Debian | 7 | armel | libffi5-dbg | < 3.0.10-3+deb7u1 | libffi5-dbg_3.0.10-3+deb7u1_armel.deb |
| Debian | 7 | amd64 | libffi5-dbg | < 3.0.10-3+deb7u1 | libffi5-dbg_3.0.10-3+deb7u1_amd64.deb |
| Debian | 8 | amd64 | libffi6-udeb | < 3.1-2+deb8u1 | libffi6-udeb_3.1-2+deb8u1_amd64.deb |
| Debian | 8 | mipsel | libffi6 | < 3.1-2+deb8u1 | libffi6_3.1-2+deb8u1_mipsel.deb |
| Debian | 8 | kfreebsd-amd64 | libffi6 | < 3.1-2+deb8u1 | libffi6_3.1-2+deb8u1_kfreebsd-amd64.deb |
| Debian | 7 | amd64 | libffi5 | < 3.0.10-3+deb7u1 | libffi5_3.0.10-3+deb7u1_amd64.deb |
| Debian | 8 | amd64 | libffi6-dbg | < 3.1-2+deb8u1 | libffi6-dbg_3.1-2+deb8u1_amd64.deb |
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
22.7%