CVE-2016-5397

NameCVE-2016-5397
DescriptionThe Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs894577

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
thrift-compiler (PTS)jessie0.9.1-2vulnerable
buster, sid, stretch0.9.1-2.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
thriftunknownexperimental0.10.0-1unimportant
thrift-compilersource(unstable)(unfixed)unimportant894577

Notes

https://issues.apache.org/jira/browse/THRIFT-3893
https://github.com/apache/thrift/commit/2007783e874d524a46b818598a45078448ecc53e
Fixed in 0.10.0 upstream, and in experimental src:thrift/0.10.0-1 is present
src:thrift only present in experimental
Go bindings only enabled in 0.9.3-2 (not yet in unstable)
Only ever affected src:thrift in experimental, and fixed in src:thrift/0.10.0-1
so any future upload of thrift to unstable can mark this item as <not-affected>
(fixed before the initial upload to Debian unstable)

Search for package or bug name: Reporting problems