CVE-2024-40897
Publication date 26 July 2024
Last updated 29 August 2024
Ubuntu priority
Cvss 3 Severity Score
Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.
Status
Package | Ubuntu Release | Status |
---|---|---|
orc | 24.04 LTS noble |
Fixed 1:0.4.38-1ubuntu0.1
|
22.04 LTS jammy |
Fixed 1:0.4.32-2ubuntu0.1
|
|
20.04 LTS focal |
Fixed 1:0.4.31-1ubuntu0.1
|
|
18.04 LTS bionic |
Vulnerable
|
|
16.04 LTS xenial |
Vulnerable
|
Notes
rodrigo-zaiden
from the security advisory: This only affects developers and CI environments using orcc, not users of liborc.
Patch details
Package | Patch details |
---|---|
orc |
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.7 · Medium |
Attack vector | Local |
Attack complexity | High |
Privileges required | Low |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6964-1
- ORC vulnerability
- 15 August 2024