SB2019110205 - Memory leak in cabextract (Alpine package)
Published: November 2, 2019
Security Bulletin ID
SB2019110205
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Memory leak (CVE-ID: CVE-2019-15681)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information on the target system.
The vulnerability exists due memory leak in VNC server code. A remote attacker can read stack memory and disclose sensitive information.
Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=60d0315bb55d8dd7d0c654dbcf8ca9157bee54f2
- https://git.alpinelinux.org/aports/commit/?id=bd5545fe9442912826f75d68a7f88e0a71f0f571
- https://git.alpinelinux.org/aports/commit/?id=a522ceff0dc95b23c88082617eb2cb25923d5123
- https://git.alpinelinux.org/aports/commit/?id=41ab224df12b8487004a1522b4f671680c082954
- https://git.alpinelinux.org/aports/commit/?id=7f993019c4f6466e8d8dc2063699f749eedba865
- https://git.alpinelinux.org/aports/commit/?id=bf1ec813f662f128fc6b70f37ef1c0474bb24488
- https://git.alpinelinux.org/aports/commit/?id=0b572578bebcf302d72e52216fdfff53165f6e2d
- https://git.alpinelinux.org/aports/commit/?id=2e95874e521137050e37c9860bead8ebf1c0a408
- https://git.alpinelinux.org/aports/commit/?id=3f0b215e21eca7395224b2eb4c9ef16ce7992771