ID OSVDB:19485 Type osvdb Reporter OSVDB Modified 2005-09-17T23:19:41
Description
Vulnerability Description
Eric Integrated Development Environment(Eric3) contains a flaw that may allow arbitrary code execution. The issue occurs when processing project files. No further details have been provided.
Solution Description
Upgrade to version 3.7.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
Eric Integrated Development Environment(Eric3) contains a flaw that may allow arbitrary code execution. The issue occurs when processing project files. No further details have been provided.
{"enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-04-28T13:20:16", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3068"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:9998"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-869.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-869-1:4471F"]}, {"type": "openvas", "idList": ["OPENVAS:55727"]}], "modified": "2017-04-28T13:20:16", "rev": 2}, "vulnersScore": 7.5}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Eric3", "operator": "eq", "version": "3.7.0"}, {"name": "Eric3", "operator": "eq", "version": "3.7.1"}], "references": [], "href": "https://vulners.com/osvdb/OSVDB:19485", "id": "OSVDB:19485", "title": "Eric3 Project File Processing Arbitrary Code Execution", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "lastseen": "2017-04-28T13:20:16", "edition": 1, "reporter": "OSVDB", "description": "## Vulnerability Description\nEric Integrated Development Environment(Eric3) contains a flaw that may allow arbitrary code execution. The issue occurs when processing project files. No further details have been provided.\n## Solution Description\nUpgrade to version 3.7.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nEric Integrated Development Environment(Eric3) contains a flaw that may allow arbitrary code execution. The issue occurs when processing project files. No further details have been provided.\n## References:\nVendor URL: http://www.die-offenbachs.de/detlev/eric3.html\nVendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?group_id=119070&release_id=357174\n[Vendor Specific Advisory URL](http://www.debian.org/security/2005/dsa-869)\nSecurity Tracker: 1014947\n[Secunia Advisory ID:16993](https://secuniaresearch.flexerasoftware.com/advisories/16993/)\n[Secunia Advisory ID:17269](https://secuniaresearch.flexerasoftware.com/advisories/17269/)\n[CVE-2005-3068](https://vulners.com/cve/CVE-2005-3068)\n", "modified": "2005-09-17T23:19:41", "viewCount": 0, "published": "2005-09-17T23:19:41", "cvelist": ["CVE-2005-3068"]}
{"cve": [{"lastseen": "2020-10-03T11:34:56", "description": "Unspecified vulnerability in Eric Integrated Development Environment (eric3) before 3.7.2 has unknown impact and attack vectors related to a \"potential security exploit.\"", "edition": 3, "cvss3": {}, "published": "2005-09-27T19:03:00", "title": "CVE-2005-3068", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-3068"], "modified": "2008-09-05T20:53:00", "cpe": ["cpe:/a:eric_integrated_development_environment:eric_integrated_development_environment:3.6.2", "cpe:/a:eric_integrated_development_environment:eric_integrated_development_environment:3.5.1", "cpe:/a:eric_integrated_development_environment:eric_integrated_development_environment:3.5.0", "cpe:/a:eric_integrated_development_environment:eric_integrated_development_environment:3.6.0", "cpe:/a:eric_integrated_development_environment:eric_integrated_development_environment:3.4.2", "cpe:/a:eric_integrated_development_environment:eric_integrated_development_environment:3.7.0", "cpe:/a:eric_integrated_development_environment:eric_integrated_development_environment:3.7.1", "cpe:/a:eric_integrated_development_environment:eric_integrated_development_environment:3.6.1"], "id": "CVE-2005-3068", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3068", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:eric_integrated_development_environment:eric_integrated_development_environment:3.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:eric_integrated_development_environment:eric_integrated_development_environment:3.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:eric_integrated_development_environment:eric_integrated_development_environment:3.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:eric_integrated_development_environment:eric_integrated_development_environment:3.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:eric_integrated_development_environment:eric_integrated_development_environment:3.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:eric_integrated_development_environment:eric_integrated_development_environment:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:eric_integrated_development_environment:eric_integrated_development_environment:3.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:eric_integrated_development_environment:eric_integrated_development_environment:3.5.1:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-24T12:50:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-3068"], "description": "The remote host is missing an update to eric\nannounced via advisory DSA 869-1.\n\nThe developers of eric, a full featured Python IDE, have fixed a bug\nin the processing of project files that could lead to the execution of\narbitrary code.\n\nThe old stable distribution (woody) does not contain an eric package.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:55727", "href": "http://plugins.openvas.org/nasl.php?oid=55727", "type": "openvas", "title": "Debian Security Advisory DSA 869-1 (eric)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_869_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 869-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in\nversion 3.6.2-2.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 3.7.2-1.\n\nWe recommend that you upgrade your eric package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20869-1\";\ntag_summary = \"The remote host is missing an update to eric\nannounced via advisory DSA 869-1.\n\nThe developers of eric, a full featured Python IDE, have fixed a bug\nin the processing of project files that could lead to the execution of\narbitrary code.\n\nThe old stable distribution (woody) does not contain an eric package.\";\n\n\nif(description)\n{\n script_id(55727);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:03:37 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(14905);\n script_cve_id(\"CVE-2005-3068\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 869-1 (eric)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"eric\", ver:\"3.6.2-2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:14", "bulletinFamily": "software", "cvelist": ["CVE-2005-3068"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- --------------------------------------------------------------------------\r\nDebian Security Advisory DSA 869-1 security@debian.org\r\nhttp://www.debian.org/security/ Martin Schulze\r\nOctober 21st, 2005 http://www.debian.org/security/faq\r\n- --------------------------------------------------------------------------\r\n\r\nPackage : eric\r\nVulnerability : missing input sanitising\r\nProblem type : local (remote)\r\nDebian-specific: no\r\nCVE ID : CAN-2005-3068\r\nDebian Bug : 330893\r\n\r\nThe developers of eric, a full featured Python IDE, have fixed a bug\r\nin the processing of project files that could lead to the execution of\r\narbitrary code.\r\n\r\nThe old stable distribution (woody) does not contain an eric package.\r\n\r\nFor the stable distribution (sarge) this problem has been fixed in\r\nversion 3.6.2-2.\r\n\r\nFor the unstable distribution (sid) this problem has been fixed in\r\nversion 3.7.2-1.\r\n\r\nWe recommend that you upgrade your eric package.\r\n\r\n\r\nUpgrade Instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\n\r\nDebian GNU/Linux 3.1 alias sarge\r\n- --------------------------------\r\n\r\n Source archives:\r\n\r\n http://security.debian.org/pool/updates/main/e/eric/eric_3.6.2-2.dsc\r\n Size/MD5 checksum: 579 05a3dde271a09b3dfea7f43200f22011\r\n http://security.debian.org/pool/updates/main/e/eric/eric_3.6.2-2.diff.gz\r\n Size/MD5 checksum: 9935 deab4c118e9e349f2424a3a84becfc28\r\n http://security.debian.org/pool/updates/main/e/eric/eric_3.6.2.orig.tar.gz\r\n Size/MD5 checksum: 2161575 1fdcba2aa0f4c0fce2a7c49668cebd60\r\n\r\n Architecture independent components:\r\n\r\n http://security.debian.org/pool/updates/main/e/eric/eric_3.6.2-2_all.deb\r\n Size/MD5 checksum: 1615108 3d65cdba469df986b25b93085980361e\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.2 (GNU/Linux)\r\n\r\niD8DBQFDWGeUW5ql+IAeqTIRAk1aAJ9HpQe/Fxa3vX1kpUWRXTW7Faq3cACdFZad\r\nm8kUEwC2MsgrUPzo8H/h2bc=\r\n=/RtH\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2005-10-21T00:00:00", "published": "2005-10-21T00:00:00", "id": "SECURITYVULNS:DOC:9998", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9998", "title": "[Full-disclosure] [SECURITY] [DSA 869-1] New eric packages fix arbitrary code execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2019-05-30T02:22:18", "bulletinFamily": "unix", "cvelist": ["CVE-2005-3068"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 869-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nOctober 21st, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : eric\nVulnerability : missing input sanitising\nProblem type : local (remote)\nDebian-specific: no\nCVE ID : CAN-2005-3068\nDebian Bug : 330893\n\nThe developers of eric, a full featured Python IDE, have fixed a bug\nin the processing of project files that could lead to the execution of\narbitrary code.\n\nThe old stable distribution (woody) does not contain an eric package.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 3.6.2-2.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 3.7.2-1.\n\nWe recommend that you upgrade your eric package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/e/eric/eric_3.6.2-2.dsc\n Size/MD5 checksum: 579 05a3dde271a09b3dfea7f43200f22011\n http://security.debian.org/pool/updates/main/e/eric/eric_3.6.2-2.diff.gz\n Size/MD5 checksum: 9935 deab4c118e9e349f2424a3a84becfc28\n http://security.debian.org/pool/updates/main/e/eric/eric_3.6.2.orig.tar.gz\n Size/MD5 checksum: 2161575 1fdcba2aa0f4c0fce2a7c49668cebd60\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/e/eric/eric_3.6.2-2_all.deb\n Size/MD5 checksum: 1615108 3d65cdba469df986b25b93085980361e\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2005-10-20T00:00:00", "published": "2005-10-20T00:00:00", "id": "DEBIAN:DSA-869-1:4471F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00263.html", "title": "[SECURITY] [DSA 869-1] New eric packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-06T10:03:37", "description": "The developers of eric, a full featured Python IDE, have fixed a bug\nin the processing of project files that could lead to the execution of\narbitrary code.", "edition": 25, "published": "2005-10-24T00:00:00", "title": "Debian DSA-869-1 : eric - missing input sanitising", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-3068"], "modified": "2005-10-24T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:eric", "cpe:/o:debian:debian_linux:3.1"], "id": "DEBIAN_DSA-869.NASL", "href": "https://www.tenable.com/plugins/nessus/20072", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-869. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20072);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2005-3068\");\n script_xref(name:\"DSA\", value:\"869\");\n\n script_name(english:\"Debian DSA-869-1 : eric - missing input sanitising\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The developers of eric, a full featured Python IDE, have fixed a bug\nin the processing of project files that could lead to the execution of\narbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2005/dsa-869\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the eric package.\n\nThe old stable distribution (woody) does not contain an eric package.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 3.6.2-2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:eric\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/10/24\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"eric\", reference:\"3.6.2-2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
