CVE-2021-3939

Publication date 16 November 2021

Last updated 24 July 2024

Ubuntu priority

High

Why this priority?

Cvss 3 Severity Score

7.8 · High

Score breakdown

Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1.

Status

Package Ubuntu Release Status
accountsservice 22.04 LTS jammy
Fixed 0.6.55-3ubuntu2
21.10 impish
Fixed 0.6.55-0ubuntu14.1
21.04 hirsute
Fixed 0.6.55-0ubuntu13.3
20.04 LTS focal
Fixed 0.6.55-0ubuntu12~20.04.5
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Severity score breakdown

Parameter Value
Base score 7.8 · High
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-5149-1
    • AccountsService vulnerability
    • 16 November 2021

Other references