CVE-2014-9765 (GCVE-0-2014-9765)

Vulnerability from cvelistv5 – Published: 2016-04-19 21:00 – Updated: 2024-08-06 13:55

Summary

Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.

Severity ?

No CVSS data available.

CWE

Assigner

debian

References

URL

Tags

	http://www.openwall.com/lists/oss-security/2016/02/08/2	mailing-listx_refsource_MLIST
	https://github.com/jmacd/xdelta-devel/commit/ef93…	x_refsource_CONFIRM
	http://www.ubuntu.com/usn/USN-2901-1	vendor-advisoryx_refsource_UBUNTU
	http://www.debian.org/security/2016/dsa-3484	vendor-advisoryx_refsource_DEBIAN
	http://lists.opensuse.org/opensuse-updates/2016-0…	vendor-advisoryx_refsource_SUSE
	https://security.gentoo.org/glsa/201701-40	vendor-advisoryx_refsource_GENTOO
	http://www.securityfocus.com/bid/83109	vdb-entryx_refsource_BID
	http://lists.opensuse.org/opensuse-updates/2016-0…	vendor-advisoryx_refsource_SUSE
	http://www.openwall.com/lists/oss-security/2016/02/08/1	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T13:55:04.187Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20160208 Re: CVE request - buffer overflow in xdelta3 before 3.0.9",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/02/08/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2"
          },
          {
            "name": "USN-2901-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2901-1"
          },
          {
            "name": "DSA-3484",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3484"
          },
          {
            "name": "openSUSE-SU-2016:0524",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html"
          },
          {
            "name": "GLSA-201701-40",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201701-40"
          },
          {
            "name": "83109",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/83109"
          },
          {
            "name": "openSUSE-SU-2016:0530",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html"
          },
          {
            "name": "[oss-security] 20160208 CVE request - buffer overflow in xdelta3 before 3.0.9",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/02/08/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-10-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-06-30T16:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "name": "[oss-security] 20160208 Re: CVE request - buffer overflow in xdelta3 before 3.0.9",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/02/08/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2"
        },
        {
          "name": "USN-2901-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2901-1"
        },
        {
          "name": "DSA-3484",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3484"
        },
        {
          "name": "openSUSE-SU-2016:0524",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html"
        },
        {
          "name": "GLSA-201701-40",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201701-40"
        },
        {
          "name": "83109",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/83109"
        },
        {
          "name": "openSUSE-SU-2016:0530",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html"
        },
        {
          "name": "[oss-security] 20160208 CVE request - buffer overflow in xdelta3 before 3.0.9",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/02/08/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-9765",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20160208 Re: CVE request - buffer overflow in xdelta3 before 3.0.9",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/02/08/2"
            },
            {
              "name": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2",
              "refsource": "CONFIRM",
              "url": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2"
            },
            {
              "name": "USN-2901-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2901-1"
            },
            {
              "name": "DSA-3484",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3484"
            },
            {
              "name": "openSUSE-SU-2016:0524",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html"
            },
            {
              "name": "GLSA-201701-40",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201701-40"
            },
            {
              "name": "83109",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/83109"
            },
            {
              "name": "openSUSE-SU-2016:0530",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html"
            },
            {
              "name": "[oss-security] 20160208 CVE request - buffer overflow in xdelta3 before 3.0.9",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/02/08/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2014-9765",
    "datePublished": "2016-04-19T21:00:00",
    "dateReserved": "2016-02-08T00:00:00",
    "dateUpdated": "2024-08-06T13:55:04.187Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"B5A6F2F3-4894-4392-8296-3B8DD2679084\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E88A537F-F4D0-46B9-9E37-965233C2A355\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"16F59A04-14CF-49E2-9973-645477EA09DA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:xdelta:xdelta3:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"3.0.8\", \"matchCriteriaId\": \"251BEFE8-AC5F-4A36-AC30-8C498B8F5517\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A10BC294-9196-425F-9FB0-B1625465B47F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"03117DF1-3BEC-4B8D-AD63-DBBDB2126081\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.\"}, {\"lang\": \"es\", \"value\": \"Desbordamiento de buffer en la funci\\u00f3n main_get_appheader en xdelta3-main.h en xdelta3 en versiones anteriores a 3.0.9 permite a atacantes remotos ejecutar c\\u00f3dgo arbitrario a trav\\u00e9s de un archivo de entrada manipulado.\"}]",
      "id": "CVE-2014-9765",
      "lastModified": "2024-11-21T02:21:37.587",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2016-04-19T21:59:01.100",
      "references": "[{\"url\": \"http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html\", \"source\": \"security@debian.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html\", \"source\": \"security@debian.org\"}, {\"url\": \"http://www.debian.org/security/2016/dsa-3484\", \"source\": \"security@debian.org\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2016/02/08/1\", \"source\": \"security@debian.org\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2016/02/08/2\", \"source\": \"security@debian.org\"}, {\"url\": \"http://www.securityfocus.com/bid/83109\", \"source\": \"security@debian.org\"}, {\"url\": \"http://www.ubuntu.com/usn/USN-2901-1\", \"source\": \"security@debian.org\"}, {\"url\": \"https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2\", \"source\": \"security@debian.org\"}, {\"url\": \"https://security.gentoo.org/glsa/201701-40\", \"source\": \"security@debian.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.debian.org/security/2016/dsa-3484\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2016/02/08/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2016/02/08/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/83109\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.ubuntu.com/usn/USN-2901-1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/201701-40\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@debian.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-119\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-9765\",\"sourceIdentifier\":\"security@debian.org\",\"published\":\"2016-04-19T21:59:01.100\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.\"},{\"lang\":\"es\",\"value\":\"Desbordamiento de buffer en la funci\u00f3n main_get_appheader en xdelta3-main.h en xdelta3 en versiones anteriores a 3.0.9 permite a atacantes remotos ejecutar c\u00f3dgo arbitrario a trav\u00e9s de un archivo de entrada manipulado.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"B5A6F2F3-4894-4392-8296-3B8DD2679084\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E88A537F-F4D0-46B9-9E37-965233C2A355\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16F59A04-14CF-49E2-9973-645477EA09DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xdelta:xdelta3:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.0.8\",\"matchCriteriaId\":\"251BEFE8-AC5F-4A36-AC30-8C498B8F5517\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A10BC294-9196-425F-9FB0-B1625465B47F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03117DF1-3BEC-4B8D-AD63-DBBDB2126081\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html\",\"source\":\"security@debian.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html\",\"source\":\"security@debian.org\"},{\"url\":\"http://www.debian.org/security/2016/dsa-3484\",\"source\":\"security@debian.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/02/08/1\",\"source\":\"security@debian.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/02/08/2\",\"source\":\"security@debian.org\"},{\"url\":\"http://www.securityfocus.com/bid/83109\",\"source\":\"security@debian.org\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2901-1\",\"source\":\"security@debian.org\"},{\"url\":\"https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2\",\"source\":\"security@debian.org\"},{\"url\":\"https://security.gentoo.org/glsa/201701-40\",\"source\":\"security@debian.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2016/dsa-3484\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/02/08/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/02/08/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/83109\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2901-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/201701-40\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

FKIE_CVE-2014-9765

Vulnerability from fkie_nvd - Published: 2016-04-19 21:59 - Updated: 2025-04-12 10:46

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.

References

	URL	Tags
	security@debian.org	http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html
	security@debian.org	http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html
	security@debian.org	http://www.debian.org/security/2016/dsa-3484
	security@debian.org	http://www.openwall.com/lists/oss-security/2016/02/08/1
	security@debian.org	http://www.openwall.com/lists/oss-security/2016/02/08/2
	security@debian.org	http://www.securityfocus.com/bid/83109
	security@debian.org	http://www.ubuntu.com/usn/USN-2901-1
	security@debian.org	https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2
	security@debian.org	https://security.gentoo.org/glsa/201701-40
	af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html
	af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html
	af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2016/dsa-3484
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2016/02/08/1
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2016/02/08/2
	af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/83109
	af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-2901-1
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2
	af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/201701-40

Impacted products

Vendor	Product	Version
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	15.10
debian	debian_linux	7.0
debian	debian_linux	8.0
xdelta	xdelta3	*
opensuse	opensuse	13.1
opensuse	opensuse	13.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:xdelta:xdelta3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "251BEFE8-AC5F-4A36-AC30-8C498B8F5517",
              "versionEndIncluding": "3.0.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file."
    },
    {
      "lang": "es",
      "value": "Desbordamiento de buffer en la funci\u00f3n main_get_appheader en xdelta3-main.h en xdelta3 en versiones anteriores a 3.0.9 permite a atacantes remotos ejecutar c\u00f3dgo arbitrario a trav\u00e9s de un archivo de entrada manipulado."
    }
  ],
  "id": "CVE-2014-9765",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-04-19T21:59:01.100",
  "references": [
    {
      "source": "security@debian.org",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html"
    },
    {
      "source": "security@debian.org",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.debian.org/security/2016/dsa-3484"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.openwall.com/lists/oss-security/2016/02/08/1"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.openwall.com/lists/oss-security/2016/02/08/2"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.securityfocus.com/bid/83109"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.ubuntu.com/usn/USN-2901-1"
    },
    {
      "source": "security@debian.org",
      "url": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2"
    },
    {
      "source": "security@debian.org",
      "url": "https://security.gentoo.org/glsa/201701-40"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3484"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2016/02/08/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2016/02/08/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/83109"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2901-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.gentoo.org/glsa/201701-40"
    }
  ],
  "sourceIdentifier": "security@debian.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-119"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-201604-0652

Vulnerability from variot - Updated: 2023-12-18 14:05

Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file. xdelta is a set of command line programs developed by software developer Joshua MacDonald for handling incremental encoding (not complete storage or transmission of data). xdelta3 is an enhanced version of xdelta. ============================================================================ Ubuntu Security Notice USN-2901-1 February 17, 2016

xdelta3 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS

Summary:

xdelta3 could be made to crash or run programs if it opened a specially crafted file.

Software Description: - xdelta3: Diff utility which works with binary files

Details:

It was discovered that xdelta3 incorrectly handled certain files.

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 15.10: xdelta3 3.0.8-dfsg-1ubuntu0.15.10.2

Ubuntu 14.04 LTS: xdelta3 3.0.7-dfsg-2ubuntu0.2

In general, a standard system update will make all the necessary changes.

References: http://www.ubuntu.com/usn/usn-2901-1 CVE-2014-9765

Package Information: https://launchpad.net/ubuntu/+source/xdelta3/3.0.8-dfsg-1ubuntu0.15.10.2 https://launchpad.net/ubuntu/+source/xdelta3/3.0.7-dfsg-2ubuntu0.2 .

Background

Xdelta is a C library and command-line tool for delta compression using VCDIFF/RFC 3284 streams.

Impact

A remote attacker could coerce the victim to run xdelta against a malicious input file. This may be leveraged by an attacker to crash xdelta and gain control of program execution.

Workaround

There is no known workaround at this time.

Resolution

All xdelta users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/xdelta-3.0.10"

References

[ 1 ] CVE-2014-9765 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9765

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

https://security.gentoo.org/glsa/201701-40

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

For the oldstable distribution (wheezy), this problem has been fixed in version 3.0.0.dfsg-1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in version 3.0.8-dfsg-1+deb8u1.

For the testing distribution (stretch), this problem has been fixed in version 3.0.8-dfsg-1.1.

For the unstable distribution (sid), this problem has been fixed in version 3.0.8-dfsg-1.1.

We recommend that you upgrade your xdelta3 packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIcBAEBCgAGBQJWxzifAAoJEAVMuPMTQ89E5BkP/R75kZvWctuo7+D+S+sqPkFc /n3w5o2FXUFIkp8GWj7WA+nECKEf95vNaBDukNdRv3c+WsDJ74wiAkKei9TGKwsa lt0lTvMOZDwyz6ZzKyCeJC64RhYduVwzYFYlzi96cv7whK67OgyTR1sdK6KS7rqs qHoVGs6f2mahy8LYTE57KszUz9im5ZRzC5Gzr0aYCi5q1Xwq1FJkZ3KoNUWrLWBm XB8e5GUTD0dJnjf2JmfB/cUhLuSnomHFBT3Dz8QuJRoTKCBIZv9aoly4tjVFIZpd cxAdt8E9gGe9jc86xk2c098LsI2ta9MfGUMaLhEIYqJF9NGnYAHCeatyj7yZnVIq 4NPdj7lXL1XmC/rtRWWYiI46wTfs1j60B95tEY3H9z9c83x67P3X1z5pEpv1Yq29 qjVvH3vkKA2YFjSo/DSs5Na3vJUE33o3aKPJ4fCmVAxJj8RQD8ktgd4JsomMu3i5 nUhuMl2VPU1JCyX9ckniqXo9Rtb5yDLvyA0lgxAk826fNboS4bFolcNC7Gx0BG3E hMXV2JSiS1SP559ct5nw8zMkggyX3vsYNScrahA3Y7SA7wnAbLTR9V2z/eFVRZfP NCxjVmrHDhx/r0K4bapLOsrLiICBld8dQVxzB+Qe7zRTjbh6Prc7UeCB+ahOjoar Zn0EbyC0roOV1QsHDIp5 =FAR5 -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201604-0652",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "opensuse",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "opensuse",
        "version": "13.1"
      },
      {
        "model": "opensuse",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "opensuse",
        "version": "13.2"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "debian",
        "version": "8.0"
      },
      {
        "model": "xdelta3",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "xdelta",
        "version": "3.0.8"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "debian",
        "version": "7.0"
      },
      {
        "model": "ubuntu linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "canonical",
        "version": "15.10"
      },
      {
        "model": "ubuntu linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "canonical",
        "version": "14.04"
      },
      {
        "model": "ubuntu",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "canonical",
        "version": "14.04 lts"
      },
      {
        "model": "ubuntu",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "canonical",
        "version": "15.10"
      },
      {
        "model": "gnu/linux",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "debian",
        "version": "7.0"
      },
      {
        "model": "gnu/linux",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "debian",
        "version": "8.0"
      },
      {
        "model": "xdelta3",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "xdelta",
        "version": "3.0.9"
      },
      {
        "model": "xdelta3",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "xdelta3",
        "version": "3.0.9"
      },
      {
        "model": "opensuse",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "novell",
        "version": "13.1"
      },
      {
        "model": "opensuse",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "novell",
        "version": "13.2"
      },
      {
        "model": "xdelta3",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "xdelta",
        "version": "3.0.8"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-008162"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-9765"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:xdelta:xdelta3:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.0.8",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2014-9765"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Stepan Golosunov",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2014-9765",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 6.8,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2014-9765",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "CNVD-2016-02491",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2014-9765",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2014-9765",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2016-02491",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201602-343",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-008162"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-9765"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file. xdelta is a set of command line programs developed by software developer Joshua MacDonald for handling incremental encoding (not complete storage or transmission of data). xdelta3 is an enhanced version of xdelta. ============================================================================\nUbuntu Security Notice USN-2901-1\nFebruary 17, 2016\n\nxdelta3 vulnerability\n============================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 15.10\n- Ubuntu 14.04 LTS\n\nSummary:\n\nxdelta3 could be made to crash or run programs if it opened a specially\ncrafted file. \n\nSoftware Description:\n- xdelta3: Diff utility which works with binary files\n\nDetails:\n\nIt was discovered that xdelta3 incorrectly handled certain files. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 15.10:\n  xdelta3                         3.0.8-dfsg-1ubuntu0.15.10.2\n\nUbuntu 14.04 LTS:\n  xdelta3                         3.0.7-dfsg-2ubuntu0.2\n\nIn general, a standard system update will make all the necessary changes. \n\nReferences:\n  http://www.ubuntu.com/usn/usn-2901-1\n  CVE-2014-9765\n\nPackage Information:\n  https://launchpad.net/ubuntu/+source/xdelta3/3.0.8-dfsg-1ubuntu0.15.10.2\n  https://launchpad.net/ubuntu/+source/xdelta3/3.0.7-dfsg-2ubuntu0.2\n. \n\nBackground\n==========\n\nXdelta is a C library and command-line tool for delta compression using\nVCDIFF/RFC 3284 streams. \n\nImpact\n======\n\nA remote attacker could coerce the victim to run xdelta against a\nmalicious input file. This may be leveraged by an attacker to crash\nxdelta and gain control of program execution. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll xdelta users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \"\u003e=dev-util/xdelta-3.0.10\"\n\nReferences\n==========\n\n[ 1 ] CVE-2014-9765\n      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9765\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201701-40\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2017 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n\n. \n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 3.0.0.dfsg-1+deb7u1. \n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 3.0.8-dfsg-1+deb8u1. \n\nFor the testing distribution (stretch), this problem has been fixed\nin version 3.0.8-dfsg-1.1. \n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 3.0.8-dfsg-1.1. \n\nWe recommend that you upgrade your xdelta3 packages. \n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIcBAEBCgAGBQJWxzifAAoJEAVMuPMTQ89E5BkP/R75kZvWctuo7+D+S+sqPkFc\n/n3w5o2FXUFIkp8GWj7WA+nECKEf95vNaBDukNdRv3c+WsDJ74wiAkKei9TGKwsa\nlt0lTvMOZDwyz6ZzKyCeJC64RhYduVwzYFYlzi96cv7whK67OgyTR1sdK6KS7rqs\nqHoVGs6f2mahy8LYTE57KszUz9im5ZRzC5Gzr0aYCi5q1Xwq1FJkZ3KoNUWrLWBm\nXB8e5GUTD0dJnjf2JmfB/cUhLuSnomHFBT3Dz8QuJRoTKCBIZv9aoly4tjVFIZpd\ncxAdt8E9gGe9jc86xk2c098LsI2ta9MfGUMaLhEIYqJF9NGnYAHCeatyj7yZnVIq\n4NPdj7lXL1XmC/rtRWWYiI46wTfs1j60B95tEY3H9z9c83x67P3X1z5pEpv1Yq29\nqjVvH3vkKA2YFjSo/DSs5Na3vJUE33o3aKPJ4fCmVAxJj8RQD8ktgd4JsomMu3i5\nnUhuMl2VPU1JCyX9ckniqXo9Rtb5yDLvyA0lgxAk826fNboS4bFolcNC7Gx0BG3E\nhMXV2JSiS1SP559ct5nw8zMkggyX3vsYNScrahA3Y7SA7wnAbLTR9V2z/eFVRZfP\nNCxjVmrHDhx/r0K4bapLOsrLiICBld8dQVxzB+Qe7zRTjbh6Prc7UeCB+ahOjoar\nZn0EbyC0roOV1QsHDIp5\n=FAR5\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2014-9765"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-008162"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      },
      {
        "db": "PACKETSTORM",
        "id": "135812"
      },
      {
        "db": "PACKETSTORM",
        "id": "140543"
      },
      {
        "db": "PACKETSTORM",
        "id": "135855"
      }
    ],
    "trust": 2.43
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2014-9765",
        "trust": 3.3
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2016/02/08/1",
        "trust": 2.2
      },
      {
        "db": "BID",
        "id": "83109",
        "trust": 1.6
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2016/02/08/2",
        "trust": 1.6
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-008162",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "135812",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "140543",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "135855",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-008162"
      },
      {
        "db": "PACKETSTORM",
        "id": "135812"
      },
      {
        "db": "PACKETSTORM",
        "id": "140543"
      },
      {
        "db": "PACKETSTORM",
        "id": "135855"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-9765"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ]
  },
  "id": "VAR-201604-0652",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      }
    ],
    "trust": 1.225
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      }
    ]
  },
  "last_update_date": "2023-12-18T14:05:57.568000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "DSA-3484",
        "trust": 0.8,
        "url": "https://www.debian.org/security/2016/dsa-3484"
      },
      {
        "title": "Add appheader tests; fix buffer overflow in main_get_appheader",
        "trust": 0.8,
        "url": "https://github.com/jmacd/xdelta-gpl/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2"
      },
      {
        "title": "openSUSE-SU-2016:0530",
        "trust": 0.8,
        "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html"
      },
      {
        "title": "openSUSE-SU-2016:0524",
        "trust": 0.8,
        "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html"
      },
      {
        "title": "USN-2901-1",
        "trust": 0.8,
        "url": "http://www.ubuntu.com/usn/usn-2901-1/"
      },
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "http://xdelta.org/"
      },
      {
        "title": "Patch for xdelta3 buffer overflow vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/74608"
      },
      {
        "title": "xdelta3 Fixes for local buffer overflow vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=60264"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-008162"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-119",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-008162"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-9765"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.2,
        "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html"
      },
      {
        "trust": 2.2,
        "url": "http://www.debian.org/security/2016/dsa-3484"
      },
      {
        "trust": 2.2,
        "url": "http://www.openwall.com/lists/oss-security/2016/02/08/1"
      },
      {
        "trust": 1.7,
        "url": "http://www.ubuntu.com/usn/usn-2901-1"
      },
      {
        "trust": 1.6,
        "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html"
      },
      {
        "trust": 1.6,
        "url": "http://www.openwall.com/lists/oss-security/2016/02/08/2"
      },
      {
        "trust": 1.6,
        "url": "http://www.securityfocus.com/bid/83109"
      },
      {
        "trust": 1.6,
        "url": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2"
      },
      {
        "trust": 1.1,
        "url": "https://security.gentoo.org/glsa/201701-40"
      },
      {
        "trust": 0.9,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9765"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-9765"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2014-9765"
      },
      {
        "trust": 0.1,
        "url": "https://launchpad.net/ubuntu/+source/xdelta3/3.0.8-dfsg-1ubuntu0.15.10.2"
      },
      {
        "trust": 0.1,
        "url": "https://launchpad.net/ubuntu/+source/xdelta3/3.0.7-dfsg-2ubuntu0.2"
      },
      {
        "trust": 0.1,
        "url": "http://creativecommons.org/licenses/by-sa/2.5"
      },
      {
        "trust": 0.1,
        "url": "https://security.gentoo.org/"
      },
      {
        "trust": 0.1,
        "url": "https://bugs.gentoo.org."
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/faq"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-008162"
      },
      {
        "db": "PACKETSTORM",
        "id": "135812"
      },
      {
        "db": "PACKETSTORM",
        "id": "140543"
      },
      {
        "db": "PACKETSTORM",
        "id": "135855"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-9765"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-008162"
      },
      {
        "db": "PACKETSTORM",
        "id": "135812"
      },
      {
        "db": "PACKETSTORM",
        "id": "140543"
      },
      {
        "db": "PACKETSTORM",
        "id": "135855"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-9765"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-04-25T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      },
      {
        "date": "2016-04-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-008162"
      },
      {
        "date": "2016-02-17T23:53:53",
        "db": "PACKETSTORM",
        "id": "135812"
      },
      {
        "date": "2017-01-17T15:34:36",
        "db": "PACKETSTORM",
        "id": "140543"
      },
      {
        "date": "2016-02-19T22:55:00",
        "db": "PACKETSTORM",
        "id": "135855"
      },
      {
        "date": "2016-04-19T21:59:01.100000",
        "db": "NVD",
        "id": "CVE-2014-9765"
      },
      {
        "date": "2016-02-18T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-04-25T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      },
      {
        "date": "2016-04-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-008162"
      },
      {
        "date": "2018-10-30T16:27:35.843000",
        "db": "NVD",
        "id": "CVE-2014-9765"
      },
      {
        "date": "2016-04-20T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "135812"
      },
      {
        "db": "PACKETSTORM",
        "id": "140543"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ],
    "trust": 0.8
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "xdelta3 buffer overflow vulnerability",
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-02491"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ],
    "trust": 1.2
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "buffer overflow",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201602-343"
      }
    ],
    "trust": 0.6
  }
}

GSD-2014-9765

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.

Aliases

CVE-2014-9765

Aliases

CVE-2014-9765

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-9765",
    "description": "Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.",
    "id": "GSD-2014-9765",
    "references": [
      "https://www.suse.com/security/cve/CVE-2014-9765.html",
      "https://www.debian.org/security/2016/dsa-3484",
      "https://ubuntu.com/security/CVE-2014-9765",
      "https://advisories.mageia.org/CVE-2014-9765.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-9765"
      ],
      "details": "Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.",
      "id": "GSD-2014-9765",
      "modified": "2023-12-13T01:22:48.741446Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@debian.org",
        "ID": "CVE-2014-9765",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "[oss-security] 20160208 Re: CVE request - buffer overflow in xdelta3 before 3.0.9",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2016/02/08/2"
          },
          {
            "name": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2",
            "refsource": "CONFIRM",
            "url": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2"
          },
          {
            "name": "USN-2901-1",
            "refsource": "UBUNTU",
            "url": "http://www.ubuntu.com/usn/USN-2901-1"
          },
          {
            "name": "DSA-3484",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2016/dsa-3484"
          },
          {
            "name": "openSUSE-SU-2016:0524",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html"
          },
          {
            "name": "GLSA-201701-40",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/201701-40"
          },
          {
            "name": "83109",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/83109"
          },
          {
            "name": "openSUSE-SU-2016:0530",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html"
          },
          {
            "name": "[oss-security] 20160208 CVE request - buffer overflow in xdelta3 before 3.0.9",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2016/02/08/1"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:xdelta:xdelta3:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.0.8",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-9765"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-119"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20160208 CVE request - buffer overflow in xdelta3 before 3.0.9",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2016/02/08/1"
            },
            {
              "name": "[oss-security] 20160208 Re: CVE request - buffer overflow in xdelta3 before 3.0.9",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2016/02/08/2"
            },
            {
              "name": "USN-2901-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "http://www.ubuntu.com/usn/USN-2901-1"
            },
            {
              "name": "openSUSE-SU-2016:0524",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html"
            },
            {
              "name": "DSA-3484",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2016/dsa-3484"
            },
            {
              "name": "openSUSE-SU-2016:0530",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html"
            },
            {
              "name": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2"
            },
            {
              "name": "83109",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/83109"
            },
            {
              "name": "GLSA-201701-40",
              "refsource": "GENTOO",
              "tags": [],
              "url": "https://security.gentoo.org/glsa/201701-40"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2018-10-30T16:27Z",
      "publishedDate": "2016-04-19T21:59Z"
    }
  }
}

GHSA-G659-9PJQ-JF3X

Vulnerability from github – Published: 2022-05-14 02:06 – Updated: 2022-05-14 02:06

Details

Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.

Severity ?

8.8 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-9765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-04-19T21:59:00Z",
    "severity": "HIGH"
  },
  "details": "Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.",
  "id": "GHSA-g659-9pjq-jf3x",
  "modified": "2022-05-14T02:06:21Z",
  "published": "2022-05-14T02:06:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9765"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201701-40"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00131.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3484"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/02/08/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/02/08/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/83109"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2901-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2016-02491

Vulnerability from cnvd - Published: 2016-04-25

Title

xdelta3缓冲区溢出漏洞

Description

xdelta是软件开发者Joshua MacDonald开发的一套用于处理增量编码（非完整存储或传输数据）的命令行程序。xdelta3是xdelta的一个增强版。 xdelta3 3.0.9之前的版本存在缓冲区溢出漏洞，允许远程攻击者通过精心编制的输入文件执行任意代码。

Severity

中

Patch Name

xdelta3缓冲区溢出漏洞的补丁

Patch Description

xdelta是软件开发者Joshua MacDonald开发的一套用于处理增量编码（非完整存储或传输数据）的命令行程序。xdelta3是xdelta的一个增强版。 xdelta3 3.0.9之前的版本存在缓冲区溢出漏洞，允许远程攻击者通过精心编制的输入文件执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，详情请关注厂商主页： http://xdelta.org/

Reference

http://www.debian.org/security/2016/dsa-3484 http://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html http://www.openwall.com/lists/oss-security/2016/02/08/1

Impacted products

Name
xdelta3 xdelta3 <3.0.9

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2014-9765"
    }
  },
  "description": "xdelta\u662f\u8f6f\u4ef6\u5f00\u53d1\u8005Joshua MacDonald\u5f00\u53d1\u7684\u4e00\u5957\u7528\u4e8e\u5904\u7406\u589e\u91cf\u7f16\u7801\uff08\u975e\u5b8c\u6574\u5b58\u50a8\u6216\u4f20\u8f93\u6570\u636e\uff09\u7684\u547d\u4ee4\u884c\u7a0b\u5e8f\u3002xdelta3\u662fxdelta\u7684\u4e00\u4e2a\u589e\u5f3a\u7248\u3002\r\n\r\nxdelta3 3.0.9\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u7cbe\u5fc3\u7f16\u5236\u7684\u8f93\u5165\u6587\u4ef6\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Stepan Golosunov",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a \r\nhttp://xdelta.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-02491",
  "openTime": "2016-04-25",
  "patchDescription": "xdelta\u662f\u8f6f\u4ef6\u5f00\u53d1\u8005Joshua MacDonald\u5f00\u53d1\u7684\u4e00\u5957\u7528\u4e8e\u5904\u7406\u589e\u91cf\u7f16\u7801\uff08\u975e\u5b8c\u6574\u5b58\u50a8\u6216\u4f20\u8f93\u6570\u636e\uff09\u7684\u547d\u4ee4\u884c\u7a0b\u5e8f\u3002xdelta3\u662fxdelta\u7684\u4e00\u4e2a\u589e\u5f3a\u7248\u3002\r\n\r\nxdelta3 3.0.9\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u7cbe\u5fc3\u7f16\u5236\u7684\u8f93\u5165\u6587\u4ef6\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "xdelta3\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "xdelta3 xdelta3 \u003c3.0.9"
  },
  "referenceLink": "http://www.debian.org/security/2016/dsa-3484 \r\nhttp://lists.opensuse.org/opensuse-updates/2016-02/msg00125.html \r\nhttp://www.openwall.com/lists/oss-security/2016/02/08/1",
  "serverity": "\u4e2d",
  "submitTime": "2016-04-21",
  "title": "xdelta3\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-9765 (GCVE-0-2014-9765)

FKIE_CVE-2014-9765

VAR-201604-0652

xdelta3 vulnerability

Background

Impact

Workaround

Resolution

References

Availability

Concerns?

License

GSD-2014-9765

GHSA-G659-9PJQ-JF3X

CNVD-2016-02491

Tags

Sightings

Nomenclature