製品・ソフトウェアに関する情報

JVN脆弱性詳細

Debian および Ubuntu におけるエラー処理に関する脆弱性

Title	Debian および Ubuntu におけるエラー処理に関する脆弱性
Summary	Debian および Ubuntu には、エラー処理に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 攻撃が行われる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 27, 2017, midnight
Registration Date	April 28, 2017, 5:46 p.m.
Last Update	April 28, 2017, 5:46 p.m.

Affected System

Debian

Debian GNU/Linux 8.0

Canonical

Ubuntu 12.04 LTS

Ubuntu 14.04 LTS

Ubuntu 16.04 LTS

Ubuntu 16.10

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-6964	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6964
National Vulnerability Database (NVD)
2	CVE-2017-6964	https://nvd.nist.gov/vuln/detail/CVE-2017-6964

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-388	https://cwe.mitre.org/data/definitions/388.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-3823-1	https://www.debian.org/security/2017/dsa-3823
Ubuntu Security Notice
2	USN-3246-1	https://www.ubuntu.com/usn/usn-3246-1/

Change Log

No	Changed Details	Date of change
0	[2017年04月28日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-6964

Summary	dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute code, which was intended to run as an unprivileged user, as root. This affects eject through 2.1.5+deb1+cvs20081104-13.1 on Debian, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.10.1 on Ubuntu 16.10, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.16.04.1 on Ubuntu 16.04 LTS, eject before 2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1 on Ubuntu 14.04 LTS, and eject before 2.1.5+deb1+cvs20081104-9ubuntu0.1 on Ubuntu 12.04 LTS.
Publication Date	March 28, 2017, 10:59 a.m.
Registration Date	Jan. 26, 2021, 1:28 p.m.
Last Update	Nov. 21, 2024, 12:30 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:16.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	https://www.debian.org/security/2017/dsa-3823	MISC	Third Party Advisory
2	http://www.debian.org/security/2017/dsa-3823		Third Party Advisory
3	http://www.debian.org/security/2017/dsa-3823		Third Party Advisory
4	http://www.securityfocus.com/bid/97154		Broken Link Third Party Advisory VDB Entry
5	http://www.securityfocus.com/bid/97154		Broken Link Third Party Advisory VDB Entry
6	https://launchpad.net/bugs/1673627		Issue Tracking Third Party Advisory
7	https://launchpad.net/bugs/1673627		Issue Tracking Third Party Advisory
8	https://www.ubuntu.com/usn/usn-3246-1/		Vendor Advisory
9	https://www.ubuntu.com/usn/usn-3246-1/		Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-252	未チェックの戻り値	https://cwe.mitre.org/data/definitions/252.html