Debian DLA-2983-1 : abcm2ps - LTS security update

critical Nessus Plugin ID 159770

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-2983 advisory.

 - Stack-based buffer overflow in the delayed_output function in music.c in abcm2ps through 8.13.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. (CVE-2018-10753)

 - Stack-based buffer overflow in the get_key function in parse.c in abcm2ps through 8.13.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
 (CVE-2018-10771)

 - moinejf abcm2ps 8.13.20 is affected by: Incorrect Access Control. The impact is: Allows attackers to cause a denial of service attack via a crafted file. The component is: front.c, function txt_add. The fixed version is: after commit commit 08aef597656d065e86075f3d53fda89765845eae. (CVE-2019-1010069)

 - abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c.
 (CVE-2021-32434)

 - Stack-based buffer overflow in the function get_key in parse.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors. (CVE-2021-32435)

 - An out-of-bounds read in the function write_title() in subs.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors. (CVE-2021-32436)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the abcm2ps packages.

For Debian 9 stretch, these problems have been fixed in version 7.8.9-1+deb9u1.

See Also

https://security-tracker.debian.org/tracker/source-package/abcm2ps

https://www.debian.org/lts/security/2022/dla-2983

https://security-tracker.debian.org/tracker/CVE-2018-10753

https://security-tracker.debian.org/tracker/CVE-2018-10771

https://security-tracker.debian.org/tracker/CVE-2019-1010069

https://security-tracker.debian.org/tracker/CVE-2021-32434

https://security-tracker.debian.org/tracker/CVE-2021-32435

https://security-tracker.debian.org/tracker/CVE-2021-32436

https://packages.debian.org/source/stretch/abcm2ps

Plugin Details

Severity: Critical

ID: 159770

File Name: debian_DLA-2983.nasl

Version: 1.2

Type: local

Agent: unix

Published: 4/17/2022

Updated: 4/17/2022

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2018-10771

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:abcm2ps, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 4/17/2022

Vulnerability Publication Date: 5/5/2018

Reference Information

CVE: CVE-2018-10753, CVE-2018-10771, CVE-2019-1010069, CVE-2021-32434, CVE-2021-32435, CVE-2021-32436