Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2017-1000455

HistoryJan 02, 2018 - 5:29 p.m.

CVE-2017-1000455

2018-01-0217:29:01

Debian Security Bug Tracker

security-tracker.debian.org

guixsd

git commit

hard links

setuid executables

security assumption

gnu guix

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

Percentile

12.6%

JSON

GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in “the store”, violating a fundamental security assumption of GNU Guix.

OSVersionArchitecturePackageVersionFilename
Debian12allguix< 1.4.0-3+deb12u1guix_1.4.0-3+deb12u1_all.deb
Debian11allguix< 1.2.0-4+deb11u2guix_1.2.0-4+deb11u2_all.deb
Debian999allguix< 1.4.0-7guix_1.4.0-7_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	guix	< 1.4.0-3+deb12u1	guix_1.4.0-3+deb12u1_all.deb
Debian	11	all	guix	< 1.2.0-4+deb11u2	guix_1.2.0-4+deb11u2_all.deb
Debian	999	all	guix	< 1.4.0-7	guix_1.4.0-7_all.deb

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

Percentile

12.6%

JSON

Related for DEBIANCVE:CVE-2017-1000455