CVE-2024-40897

Publication date 26 July 2024

Last updated 1 October 2024


Ubuntu priority

Cvss 3 Severity Score

6.7 · Medium

Score breakdown

Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.

Read the notes from the security team

Status

Package Ubuntu Release Status
orc 24.04 LTS noble
Fixed 1:0.4.38-1ubuntu0.1
22.04 LTS jammy
Fixed 1:0.4.32-2ubuntu0.1
20.04 LTS focal
Fixed 1:0.4.31-1ubuntu0.1
18.04 LTS bionic
16.04 LTS xenial

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes


rodrigo-zaiden

from the security advisory: This only affects developers and CI environments using orcc, not users of liborc.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
orc

Severity score breakdown

Parameter Value
Base score 6.7 · Medium
Attack vector Local
Attack complexity High
Privileges required Low
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H