Stack-based buffer over-read in a2ps (Alpine package)

Published: 2017-08-28

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2017-11423
CWE-ID	CWE-126
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	a2ps (Alpine package) Operating systems & Components / Operating system package or component
Vendor	Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Stack-based buffer over-read

EUVDB-ID: #VU11217

Risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-11423

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the cabd_read_string function due to stack-based buffer over-read. A remote attacker can send a specially crafted CAB file, trick the victim into opening it, trigger memory corruption and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

a2ps (Alpine package): 4.14-r0 - 4.14-r6

CPE2.3

External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.