CVE-2017-6964

dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute code, which was intended to run as an unprivileged user, as root. This affects eject through 2.1.5+deb1+cvs20081104-13.1 on Debian, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 LTS, and eject before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 LTS.
References
Link Resource
http://www.debian.org/security/2017/dsa-3823 Third Party Advisory
http://www.securityfocus.com/bid/97154 Broken Link Third Party Advisory VDB Entry
https://launchpad.net/bugs/1673627 Issue Tracking Third Party Advisory
https://www.ubuntu.com/usn/usn-3246-1/ Vendor Advisory
https://www.debian.org/security/2017/dsa-3823 Third Party Advisory
http://www.debian.org/security/2017/dsa-3823 Third Party Advisory
http://www.securityfocus.com/bid/97154 Broken Link Third Party Advisory VDB Entry
https://launchpad.net/bugs/1673627 Issue Tracking Third Party Advisory
https://www.ubuntu.com/usn/usn-3246-1/ Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

History

21 Nov 2024, 03:30

Type Values Removed Values Added
References () http://www.debian.org/security/2017/dsa-3823 - Third Party Advisory () http://www.debian.org/security/2017/dsa-3823 - Third Party Advisory
References () http://www.securityfocus.com/bid/97154 - Broken Link, Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/97154 - Broken Link, Third Party Advisory, VDB Entry
References () https://launchpad.net/bugs/1673627 - Issue Tracking, Third Party Advisory () https://launchpad.net/bugs/1673627 - Issue Tracking, Third Party Advisory
References () https://www.ubuntu.com/usn/usn-3246-1/ - Vendor Advisory () https://www.ubuntu.com/usn/usn-3246-1/ - Vendor Advisory

21 Jan 2024, 01:37

Type Values Removed Values Added
References (DEBIAN) http://www.debian.org/security/2017/dsa-3823 - (DEBIAN) http://www.debian.org/security/2017/dsa-3823 - Third Party Advisory
References (MISC) https://www.debian.org/security/2017/dsa-3823 - Vendor Advisory (MISC) https://www.debian.org/security/2017/dsa-3823 - Third Party Advisory
References (CONFIRM) https://launchpad.net/bugs/1673627 - Third Party Advisory (CONFIRM) https://launchpad.net/bugs/1673627 - Issue Tracking, Third Party Advisory
References (BID) http://www.securityfocus.com/bid/97154 - Third Party Advisory, VDB Entry (BID) http://www.securityfocus.com/bid/97154 - Broken Link, Third Party Advisory, VDB Entry

Information

Published : 2017-03-28 01:59

Updated : 2024-11-21 03:30


NVD link : CVE-2017-6964

Mitre link : CVE-2017-6964

CVE.ORG link : CVE-2017-6964


JSON object : View

Products Affected

canonical

  • ubuntu_linux

debian

  • debian_linux
CWE
CWE-252

Unchecked Return Value