CVE-2014-0489

APT - Remote Code Execution via Crafted Package with Acquire::GzipIndexes Option

Title source: manual
STIX 2.1

Description

APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.

References (4)

Core 4
Core References
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61286
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61275
Patch, Vendor Advisory vendor-advisory x_refsource_ubuntu
http://ubuntu.com/usn/usn-2348-1
Vendor Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-3025

Scores

EPSS 0.0361
EPSS Percentile 88.1%

Details

CWE
CWE-20
Status published
Products (3)
debian/advanced_package_tool 1.0.3
debian/advanced_package_tool 1.0.5
debian/advanced_package_tool 1.0.7
Published Nov 03, 2014
Tracked Since Feb 18, 2026