CVE-2020-0256

NameCVE-2020-0256
DescriptionIn LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege when inserting a malicious USB device, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-152874864
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2549-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gdisk (PTS)buster1.0.3-1.1vulnerable
bullseye1.0.6-1.1fixed
bookworm1.0.9-2.1fixed
sid, trixie1.0.10-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gdisksourcestretch1.0.1-1+deb9u1DLA-2549-1
gdisksource(unstable)1.0.6-1

Notes

[buster] - gdisk <no-dsa> (Minor issue)
https://sourceforge.net/p/gptfdisk/code/ci/81c8bbee46ad6ebacf72eae70ba5147f376205a4/
https://android.googlesource.com/platform/external/gptfdisk/+/7ffd0a26064cf25c0922f2bab511e4b4e8149083
Search for package or bug name: Reporting problems