| Description: | Summary:
The remote host is missing an update for the Debian 'procps' package(s) announced via the DSA-4208-1 advisory.
Vulnerability Insight:
The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2018-1122
top read its configuration from the current working directory if no $HOME was configured. If top were started from a directory writable by the attacker (such as /tmp) this could result in local privilege escalation.
CVE-2018-1123
Denial of service against the ps invocation of another user.
CVE-2018-1124
An integer overflow in the file2strvec() function of libprocps could result in local privilege escalation.
CVE-2018-1125
A stack-based buffer overflow in pgrep could result in denial of service for a user using pgrep for inspecting a specially crafted process.
CVE-2018-1126
Incorrect integer size parameters used in wrappers for standard C allocators could cause integer truncation and lead to integer overflow issues.
For the oldstable distribution (jessie), these problems have been fixed in version 2:3.3.9-9+deb8u1.
For the stable distribution (stretch), these problems have been fixed in version 2:3.3.12-3+deb9u1.
We recommend that you upgrade your procps packages.
For the detailed security status of procps please refer to its security tracker page at: [link moved to references]
Affected Software/OS:
'procps' package(s) on Debian 8, Debian 9.
Solution:
Please install the updated package(s).
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
