Integer overflow in whoopsie results in out-of-bounds heap write
CVE-2019-11476

6.5MEDIUM

Key Information:

Vendor: Ubuntu
Status: Whoopsie
Vendor: CVE Published:; 29 August 2019

What is CVE-2019-11476?

An integer overflow in whoopsie before versions 0.2.52.5ubuntu0.1, 0.2.62ubuntu0.1, 0.2.64ubuntu0.1, 0.2.66, results in an out-of-bounds write to a heap allocated buffer when processing large crash dumps. This results in a crash or possible code-execution in the context of the whoopsie process.

Affected Version(s)

Whoopsie before 0.2.52.5ubuntu0.1

Whoopsie before 0.2.62ubuntu0.1

Whoopsie before 0.2.64ubuntu0.1

References

https://usn.ubuntu.com/4052-1/

https://bugs.launchpad.net/ubuntu/%2Bsource/whoopsie/%2Bb...

http://packetstormsecurity.com/files/172858/Ubuntu-Apport...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 29, 2019
Vulnerability Reserved
Apr 23, 2019

Credit

Kevin Backhouse of Semmle Security Research Team