CVE-2017-10140

NameCVE-2017-10140
DescriptionPostfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1135-1, DLA-1136-1, DLA-1137-1
NVD severitymedium (attack range: local)
Debian Bugs872436

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
db (PTS)jessie5.1.29-9+deb8u1fixed
db5.3 (PTS)jessie5.3.28-9+deb8u1fixed
stretch5.3.28-12+deb9u1fixed
buster, sid5.3.28-13.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dbsource(unstable)(unfixed)medium
dbsourcejessie5.1.29-9+deb8u1medium
dbsourcewheezy5.1.29-5+deb7u1mediumDLA-1135-1
db4.0source(unstable)(unfixed)medium
db4.1source(unstable)(unfixed)medium
db4.2source(unstable)(unfixed)medium
db4.3source(unstable)(unfixed)medium
db4.4source(unstable)(unfixed)medium
db4.5source(unstable)(unfixed)medium
db4.6source(unstable)(unfixed)medium
db4.7source(unstable)(unfixed)medium
db4.7sourcewheezy4.7.25-21+deb7u1mediumDLA-1137-1
db4.8source(unstable)(unfixed)medium
db4.8sourcewheezy4.8.30-12+deb7u1mediumDLA-1136-1
db5.1source(unstable)(unfixed)medium
db5.2source(unstable)(unfixed)medium
db5.3source(unstable)5.3.28-13.1medium872436
db5.3sourcejessie5.3.28-9+deb8u1medium
db5.3sourcestretch5.3.28-12+deb9u1medium

Notes

http://www.openwall.com/lists/oss-security/2017/08/12/1
Patch as used in Fedora: https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
and is acknowledged by libdb upstream, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9

Search for package or bug name: Reporting problems