CVE-2018-1000221

pkgconf version 1.5.0 to 1.5.2 contains a Buffer Overflow vulnerability in dequote() that can result in dequote() function returns 1-byte allocation if initial length is 0, leading to buffer overflow. This attack appear to be exploitable via specially crafted .pc file. This vulnerability appears to have been fixed in 1.5.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
pkgconfpkgconf
1.5.0 ≤
𝑥
≤ 1.5.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pkgconf
bullseye
1.7.4~git20210206+dcf529b-3
fixed
bookworm
1.8.1-1
fixed
sid
1.8.1-4
fixed
trixie
1.8.1-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pkgconf
bionic
not-affected
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
https://git.dereferenced.org/pkgconf/pkgconf/pulls/3
https://git.dereferenced.org/pkgconf/pkgconf/pulls/3