Debian DSA-1806-1 : cscope - buffer overflows

high Nessus Plugin ID 38880

Synopsis

The remote Debian host is missing a security-related update.

Description

Matt Murphy discovered that cscope, a source code browsing tool, does not verify the length of file names sourced in include statements, which may potentially lead to the execution of arbitrary code through specially crafted source code files.

Solution

Upgrade the cscope package.

For the stable distribution (lenny), this problem has been fixed in version 15.6-6+lenny1.

Due to a technical limitation in the Debian archive management scripts the update for the old stable distribution (etch) cannot be released synchronously. It will be fixed in version 15.6-2+etch1 soon.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528510

https://www.debian.org/security/2009/dsa-1806

Plugin Details

Severity: High

ID: 38880

File Name: debian_DSA-1806.nasl

Version: 1.10

Type: local

Agent: unix

Published: 5/26/2009

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:cscope, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 5/24/2009

Reference Information

CVE: CVE-2009-0148

BID: 34805

CWE: 119

DSA: 1806