CVE-2024-40897
Publication date 26 July 2024
Last updated 1 October 2024
Ubuntu priority
Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| orc | 24.04 LTS noble |
Fixed 1:0.4.38-1ubuntu0.1
|
| 22.04 LTS jammy |
Fixed 1:0.4.32-2ubuntu0.1
|
|
| 20.04 LTS focal |
Fixed 1:0.4.31-1ubuntu0.1
|
|
| 18.04 LTS bionic |
Fixed 1:0.4.28-1ubuntu0.1~esm1
|
|
| 16.04 LTS xenial |
Fixed 1:0.4.25-1ubuntu0.1~esm1
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
rodrigo-zaiden
from the security advisory: This only affects developers and CI environments using orcc, not users of liborc.
Patch details
| Package | Patch details |
|---|---|
| orc |
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.7 · Medium
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6964-1
- ORC vulnerability
- 15 August 2024
- USN-6964-2
- ORC vulnerability
- 1 October 2024