CVE-2023-1521

NameCVE-2023-1521
DescriptionOn Linux the sccache client can execute arbitrary code with the privileges of a local sccache server, by preloading the code in a shared library passed to LD_PRELOAD. If the server is run as root (which is the default when installing the snap package https://snapcraft.io/sccache ), this means a user running the sccache client can get root privileges.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sccache (PTS)bookworm0.4.0~~pre6-1vulnerable
sid, trixie0.9.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sccachesource(unstable)0.5.3-1

Notes

[bookworm] - sccache <no-dsa> (Minor issue)
https://securitylab.github.com/advisories/GHSL-2023-046_ScCache/
https://github.com/advisories/GHSA-x7fr-pg8f-93f5
ttps://github.com/mozilla/sccache/pull/1663
https://github.com/mozilla/sccache/commit/098ab804ad6cfe6236a45ab695e9d500b61f1614 (v0.4.0-pre.11)
Search for package or bug name: Reporting problems