CVE-2013-4550

EUVD-2013-4409

24.12.2013, 18:55

Bip before 0.8.9, when running as a daemon, writes SSL handshake errors to an unexpected file descriptor that was previously associated with stderr before stderr has been closed, which allows remote attackers to write to other sockets and have an unspecified impact via a failed SSL handshake, a different vulnerability than CVE-2011-5268. NOTE: some sources originally mapped this CVE to two different types of issues; this CVE has since been SPLIT, producing CVE-2011-5268.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.1 UNKNOWN	NETWORK	HIGH		AV:N/AC:H/Au:N/C:P/I:P/A:P

Base Score

CVSS 3.x

EPSS Score

Percentile: 76%

Affected Products (NVD)

Vendor	Product	Version
duckcorp	bip	𝑥 ≤ 0.8.8
duckcorp	bip	0.8.0
duckcorp	bip	0.8.0:rc0
duckcorp	bip	0.8.0:rc1
duckcorp	bip	0.8.1
duckcorp	bip	0.8.2
duckcorp	bip	0.8.3
duckcorp	bip	0.8.4
duckcorp	bip	0.8.5
duckcorp	bip	0.8.6
duckcorp	bip	0.8.7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

bip

bookworm	0.9.3-1 fixed
bullseye	0.9.0~rc4-1 fixed
sid	0.9.3-1.1 fixed
squeeze	no-dsa
trixie	0.9.3-1.1 fixed
wheezy	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

bip

lucid	ignored
precise	Fixed 0.8.8-1ubuntu0.3 released
quantal	Fixed 0.8.8-2ubuntu0.12.10.1 released
raring	Fixed 0.8.8-2ubuntu0.13.04.1 released
saucy	Fixed 0.8.8-2ubuntu1.1 released

Common Weakness Enumeration

CWE-310 -

References

http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121868.html

http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122274.html

http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122278.html

http://www.openwall.com/lists/oss-security/2014/01/02/9