[SECURITY] [DSA 5437-1] hsqldb security update

2023-06-2121:47:55

lists.debian.org

hsqldb

libreoffice

cve-2023-1183

debian

secfault security gmbh

security update

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.0005 Low

EPSS

Percentile

17.4%

JSON

Debian Security Advisory DSA-5437-1 [email protected]
https://www.debian.org/security/ Markus Koschany
June 21, 2023 https://www.debian.org/security/faq

Package : hsqldb
CVE ID : CVE-2023-1183

Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL
database engine, allowed the execution of spurious scripting commands in
.script and .log files. Hsqldb supports a "SCRIPT" keyword which is normally
used to record the commands input by the database admin to output such a
script. In combination with LibreOffice, an attacker could craft an odb
containing a "database/script" file which itself contained a SCRIPT command
where the contents of the file could be written to a new file whose location
was determined by the attacker.

For the oldstable distribution (bullseye), this problem has been fixed
in version 2.5.1-1+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in
version 2.7.1-1+deb12u1.

We recommend that you upgrade your hsqldb packages.

For the detailed security status of hsqldb please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/hsqldb

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian12allhsqldb< 2.7.1-1+deb12u1hsqldb_2.7.1-1+deb12u1_all.deb
Debian11allhsqldb-utils< 2.5.1-1+deb11u2hsqldb-utils_2.5.1-1+deb11u2_all.deb
Debian12alllibhsqldb-java< 2.7.1-1+deb12u1libhsqldb-java_2.7.1-1+deb12u1_all.deb
Debian10alllibhsqldb1.8.0-java< 1.8.0.10+dfsg-10+deb10u1libhsqldb1.8.0-java_1.8.0.10+dfsg-10+deb10u1_all.deb
Debian11allhsqldb< 2.5.1-1+deb11u2hsqldb_2.5.1-1+deb11u2_all.deb
Debian12allhsqldb-utils< 2.7.1-1+deb12u1hsqldb-utils_2.7.1-1+deb12u1_all.deb
Debian10alllibhsqldb-java< 2.4.1-2+deb10u2libhsqldb-java_2.4.1-2+deb10u2_all.deb
Debian12alllibhsqldb1.8.0-java< 1.8.0.10+dfsg-11+deb12u1libhsqldb1.8.0-java_1.8.0.10+dfsg-11+deb12u1_all.deb
Debian12alllibhsqldb-java-doc< 2.7.1-1+deb12u1libhsqldb-java-doc_2.7.1-1+deb12u1_all.deb
Debian11allhsqldb1.8.0< 1.8.0.10+dfsg-10+deb11u1hsqldb1.8.0_1.8.0.10+dfsg-10+deb11u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	hsqldb	< 2.7.1-1+deb12u1	hsqldb_2.7.1-1+deb12u1_all.deb
Debian	11	all	hsqldb-utils	< 2.5.1-1+deb11u2	hsqldb-utils_2.5.1-1+deb11u2_all.deb
Debian	12	all	libhsqldb-java	< 2.7.1-1+deb12u1	libhsqldb-java_2.7.1-1+deb12u1_all.deb
Debian	10	all	libhsqldb1.8.0-java	< 1.8.0.10+dfsg-10+deb10u1	libhsqldb1.8.0-java_1.8.0.10+dfsg-10+deb10u1_all.deb
Debian	11	all	hsqldb	< 2.5.1-1+deb11u2	hsqldb_2.5.1-1+deb11u2_all.deb
Debian	12	all	hsqldb-utils	< 2.7.1-1+deb12u1	hsqldb-utils_2.7.1-1+deb12u1_all.deb
Debian	10	all	libhsqldb-java	< 2.4.1-2+deb10u2	libhsqldb-java_2.4.1-2+deb10u2_all.deb
Debian	12	all	libhsqldb1.8.0-java	< 1.8.0.10+dfsg-11+deb12u1	libhsqldb1.8.0-java_1.8.0.10+dfsg-11+deb12u1_all.deb
Debian	12	all	libhsqldb-java-doc	< 2.7.1-1+deb12u1	libhsqldb-java-doc_2.7.1-1+deb12u1_all.deb
Debian	11	all	hsqldb1.8.0	< 1.8.0.10+dfsg-10+deb11u1	hsqldb1.8.0_1.8.0.10+dfsg-10+deb11u1_all.deb