CVE-2014-4039

Description

ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does not properly restrict permissions for /tmp/diagSEsnap/snapH.tar.gz, which allows local users to obtain sensitive information by reading files in this archive, as demonstrated by /var/log/messages and /etc/yaboot.conf.

How to fix CVE-2014-4039

To remediate CVE-2014-4039, upgrade the affected package to a fixed version below.

• Debian/ppc64-diag—upgrade to 2.7.1-5 or later

Is CVE-2014-4039 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.7.1-5

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-4039