Debian DSA-639-1 : mc - several vulnerabilities

High Nessus Plugin ID 16165

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.8

Synopsis

The remote Debian host is missing a security-related update.

Description

Andrew V. Samoilov has noticed that several bugfixes which were applied to the source by upstream developers of mc, the midnight commander, a file browser and manager, were not backported to the current version of mc that Debian ships in their stable release. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities :

- CAN-2004-1004 Multiple format string vulnerabilities

- CAN-2004-1005

Multiple buffer overflows

- CAN-2004-1009

One infinite loop vulnerability

- CAN-2004-1090

Denial of service via corrupted section header

- CAN-2004-1091

Denial of service via null dereference

- CAN-2004-1092

Freeing unallocated memory

- CAN-2004-1093

Denial of service via use of already freed memory

- CAN-2004-1174

Denial of service via manipulating non-existing file handles

- CAN-2004-1175

Unintended program execution via insecure filename quoting

- CAN-2004-1176

Denial of service via a buffer underflow

Solution

Upgrade the mc package.

For the stable distribution (woody) these problems have been fixed in version 4.5.55-1.2woody5.

See Also

http://www.debian.org/security/2005/dsa-639

Plugin Details

Severity: High

ID: 16165

File Name: debian_DSA-639.nasl

Version: 1.21

Type: local

Agent: unix

Published: 2005/01/14

Updated: 2021/01/04

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.8

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:mc, cpe:/o:debian:debian_linux:3.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2005/01/14

Vulnerability Publication Date: 2005/01/14

Reference Information

CVE: CVE-2004-1004, CVE-2004-1005, CVE-2004-1009, CVE-2004-1090, CVE-2004-1091, CVE-2004-1092, CVE-2004-1093, CVE-2004-1174, CVE-2004-1175, CVE-2004-1176

DSA: 639