CVE-2017-10140

NameCVE-2017-10140
DescriptionPostfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1135-1, DLA-1136-1, DLA-1137-1
Debian Bugs872436

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
db5.3 (PTS)buster5.3.28+dfsg1-0.5fixed
bullseye5.3.28+dfsg1-0.8fixed
bookworm5.3.28+dfsg2-1fixed
trixie5.3.28+dfsg2-4fixed
sid5.3.28+dfsg2-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dbsourcewheezy5.1.29-5+deb7u1DLA-1135-1
dbsourcejessie5.1.29-9+deb8u1
dbsource(unstable)(unfixed)
db4.0source(unstable)(unfixed)
db4.1source(unstable)(unfixed)
db4.2source(unstable)(unfixed)
db4.3source(unstable)(unfixed)
db4.4source(unstable)(unfixed)
db4.5source(unstable)(unfixed)
db4.6source(unstable)(unfixed)
db4.7sourcewheezy4.7.25-21+deb7u1DLA-1137-1
db4.7source(unstable)(unfixed)
db4.8sourcewheezy4.8.30-12+deb7u1DLA-1136-1
db4.8source(unstable)(unfixed)
db5.1source(unstable)(unfixed)
db5.2source(unstable)(unfixed)
db5.3sourcejessie5.3.28-9+deb8u1
db5.3sourcestretch5.3.28-12+deb9u1
db5.3source(unstable)5.3.28-13.1872436

Notes

https://www.openwall.com/lists/oss-security/2017/08/12/1
Patch as used in Fedora: https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
and is acknowledged by libdb upstream, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9

Search for package or bug name: Reporting problems