Access Restriction Bypass Affecting dpkg package, versions <1.10.19
Threat Intelligence
EPSS
0.04% (6th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN12-DPKG-1544491
- published 8 Jun 2010
- disclosed 8 Jun 2010
Introduced: 8 Jun 2010
CVE-2004-2768 Open this link in a new tabHow to fix?
Upgrade Debian:12 dpkg to version 1.10.19 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream dpkg package and not the dpkg package as distributed by Debian.
See How to fix? for Debian:12 relevant fixed versions and status.
dpkg 1.9.21 does not properly reset the metadata of a file during replacement of the file in a package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid file, (2) setgid file, or (3) device, a related issue to CVE-2010-2059.
References
- https://security-tracker.debian.org/tracker/CVE-2004-2768
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=225692
- http://lists.jammed.com/ISN/2003/12/0056.html
- http://www.hackinglinuxexposed.com/articles/20031214.html
- http://xforce.iss.net/xforce/xfdb/59428
- https://bugzilla.redhat.com/show_bug.cgi?id=598775
- https://exchange.xforce.ibmcloud.com/vulnerabilities/59428
CVSS Scores
version 3.1