CVE-2020-27351 - OpenCVE

Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:L/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Advanced Package Tool Debian Linux
Canonical	Ubuntu Linux

Configuration 1 [-]

AND

cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Configuration 4 [-]

AND

cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

References

Link	Resource
https://bugs.launchpad.net/bugs/1899193	Broken Link
https://usn.ubuntu.com/usn/usn-4668-1	Vendor Advisory
https://www.debian.org/security/2020/dsa-4809	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: canonical

Published: 2020-12-09T00:00:00

Updated: 2020-12-10T11:06:07

Reserved: 2020-10-20T00:00:00

Link: CVE-2020-27351

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-12-10T04:15:11.547

Modified: 2020-12-14T19:56:18.940

Link: CVE-2020-27351

JSON object: View

Redhat Information

No data.

CWE

CWE-772

{"containers": {"cna": {"affected": [{"product": "python-apt", "vendor": "Canonical", "versions": [{"lessThan": "1.1.0~beta1ubuntu0.16.04.10", "status": "affected", "version": "1.1.0~beta1", "versionType": "custom"}, {"lessThan": "1.6.5ubuntu0.4", "status": "affected", "version": "1.6.5ubuntu0", "versionType": "custom"}, {"lessThan": "2.0.0ubuntu0.20.04.2", "status": "affected", "version": "2.0.0ubuntu0", "versionType": "custom"}, {"lessThan": "2.1.3ubuntu1.1", "status": "affected", "version": "2.1.3ubuntu1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Kevin Backhouse"}], "datePublic": "2020-12-09T00:00:00", "descriptions": [{"lang": "en", "value": "Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-772", "description": "CWE-772 Missing Release of Resource after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-10T11:06:07", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugs.launchpad.net/bugs/1899193"}, {"tags": ["x_refsource_MISC"], "url": "https://usn.ubuntu.com/usn/usn-4668-1"}, {"name": "DSA-4809", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4809"}], "source": {"advisory": "https://usn.ubuntu.com/usn/usn-4668-1", "defect": ["https://bugs.launchpad.net/bugs/1899193"], "discovery": "EXTERNAL"}, "title": "Various memory and file descriptor leaks in apt-python", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2020-12-09T00:00:00.000Z", "ID": "CVE-2020-27351", "STATE": "PUBLIC", "TITLE": "Various memory and file descriptor leaks in apt-python"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "python-apt", "version": {"version_data": [{"version_affected": "<", "version_name": "1.1.0~beta1", "version_value": "1.1.0~beta1ubuntu0.16.04.10"}, {"version_affected": "<", "version_name": "1.6.5ubuntu0", "version_value": "1.6.5ubuntu0.4"}, {"version_affected": "<", "version_name": "2.0.0ubuntu0", "version_value": "2.0.0ubuntu0.20.04.2"}, {"version_affected": "<", "version_name": "2.1.3ubuntu1", "version_value": "2.1.3ubuntu1.1"}]}}]}, "vendor_name": "Canonical"}]}}, "credit": [{"lang": "eng", "value": "Kevin Backhouse"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-772 Missing Release of Resource after Effective Lifetime"}]}]}, "references": {"reference_data": [{"name": "https://bugs.launchpad.net/bugs/1899193", "refsource": "MISC", "url": "https://bugs.launchpad.net/bugs/1899193"}, {"name": "https://usn.ubuntu.com/usn/usn-4668-1", "refsource": "MISC", "url": "https://usn.ubuntu.com/usn/usn-4668-1"}, {"name": "DSA-4809", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4809"}]}, "source": {"advisory": "https://usn.ubuntu.com/usn/usn-4668-1", "defect": ["https://bugs.launchpad.net/bugs/1899193"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2020-27351", "datePublished": "2020-12-09T00:00:00", "dateReserved": "2020-10-20T00:00:00", "dateUpdated": "2020-12-10T11:06:07", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F1CD972-BF6E-437D-BD7A-9C6E1649E05E", "versionEndExcluding": "1.1.0\\~beta1ubuntu0.16.04.10", "versionStartIncluding": "1.1.0\\~beta1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*", "matchCriteriaId": "46110C63-28BC-4CAC-9D26-D5CEE0042A54", "versionEndExcluding": "1.6.5ubuntu0.4", "versionStartIncluding": "1.6.5ubuntu0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EE283A5-3974-4B01-9BAC-940B32714D9F", "versionEndExcluding": "2.0.0ubuntu0.20.04.2", "versionStartIncluding": "2.0.0ubuntu0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*", "matchCriteriaId": "496C03D7-3211-47CE-996F-AE031900B54C", "versionEndExcluding": "2.1.30ubuntu1.1", "versionStartIncluding": "2.1.3ubuntu1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*", "matchCriteriaId": "338B3AAC-C147-4A31-95E7-6E8A6FB4B3FC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A03A663-BC84-47BE-90DA-09753C3F44FE", "versionEndExcluding": "1.8.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;"}, {"lang": "es", "value": "Se encontraron varios filtrados de memoria y descriptores de archivos en los archivos python/arfile.cc, python/tag.cc, python/tarfile.cc, tambi\u00e9n se conoce como GHSL-2020-170. Este problema afecta a: python-apt versiones 1.1.0~beta1 anteriores a 1.1.0~beta1ubuntu0.16.04.10; versiones 1.6.5ubuntu0 anteriores a 1.6.5ubuntu0.4; versiones 2.0.0ubuntu0 anteriores a 2.0.0ubuntu0.20.04.2; versiones 2.1.3ubuntu1 anteriores a 2.1.3ubuntu1.1;"}], "id": "CVE-2020-27351", "lastModified": "2020-12-14T19:56:18.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 1.4, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2020-12-10T04:15:11.547", "references": [{"source": "security@ubuntu.com", "tags": ["Broken Link"], "url": "https://bugs.launchpad.net/bugs/1899193"}, {"source": "security@ubuntu.com", "tags": ["Vendor Advisory"], "url": "https://usn.ubuntu.com/usn/usn-4668-1"}, {"source": "security@ubuntu.com", "tags": ["Vendor Advisory"], "url": "https://www.debian.org/security/2020/dsa-4809"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-772"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-772"}], "source": "security@ubuntu.com", "type": "Secondary"}]}