CVE-2020-25031

NameCVE-2020-25031
Descriptioncheckinstall 1.6.2, when used to create a package that contains a symlink, may trigger the creation of a mode 0777 executable file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
checkinstall (PTS)bullseye1.6.2+git20170426.d24a630-2vulnerable
bookworm1.6.2+git20170426.d24a630-3vulnerable
sid, trixie1.6.2+git20170426.d24a630-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
checkinstallsource(unstable)(unfixed)unimportant

Notes

https://bugs.launchpad.net/ubuntu/+source/checkinstall/+bug/1861281
Does not cross any reasonable trust boundary, the packages to be installed need to be
trusted to begin with, a rogue package can cause more harm than a 777 binary

Search for package or bug name: Reporting problems