Vulnerabilities > CVE-2005-2656 - Local Denial of Service vulnerability in Polygen 1.0.6

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
local
low complexity
polygen
nessus

Summary

Polygen before 1.0.6 generates precompiled grammar objects with world-writable permissions, which allows local users to cause a denial of service (disk consumption) and possibly perform other unauthorized activities.

Vulnerable Configurations

Part Description Count
Application
Polygen
1

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DSA-794.NASL
descriptionJustin Rye noticed that polygen generates precompiled grammar objects world-writable, which can be exploited by a local attacker to at least fill up the filesystem.
last seen2020-06-01
modified2020-06-02
plugin id19564
published2005-09-06
reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19564
titleDebian DSA-794-1 : polygen - programming error
code
#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-794. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(19564);
  script_version("1.17");
  script_cvs_date("Date: 2019/08/02 13:32:18");

  script_cve_id("CVE-2005-2656");
  script_xref(name:"DSA", value:"794");

  script_name(english:"Debian DSA-794-1 : polygen - programming error");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Justin Rye noticed that polygen generates precompiled grammar objects
world-writable, which can be exploited by a local attacker to at least
fill up the filesystem."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325468"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2005/dsa-794"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the polygen package.

The old stable distribution (woody) does not contain the polygen
package.

For the stable distribution (sarge) this problem has been fixed in
version 1.0.6-7sarge1."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:polygen");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2005/09/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/06");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/01");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.1", prefix:"polygen", reference:"1.0.6-7sarge1")) flag++;
if (deb_check(release:"3.1", prefix:"polygen-data", reference:"1.0.6-7sarge1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());
  else security_note(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");