Summary
During a review for EDF, Raphael Geissert discovered that the acpi-support package did not properly handle data obtained from a user's environment. This could lead to program malfunction or allow a local user to escalate privileges to the root user due to a programming error.
Solution
For the stable distribution (wheezy), this problem has been fixed in version 0.140-5+deb7u3.
For the testing distribution (jessie), and the unstable distribution (sid) this problem will be fixed soon.
We recommend that you upgrade your acpi-support packages.
Insight
This package contains scripts to react to various ACPI events. It only includes scripts for events that can be supported with some level of safety cross platform.
Affected
acpi-support on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-0484 -
CVSS Base Score: 7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities