Debian Linux Security Advisory 5437-1 - Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL database engine, allowed the execution of spurious scripting commands in .script and .log files. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In combination with LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.
7c544f31219784b743536b45da6065cc810499bfb45dbd1197cd11a809f8e80a-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5437-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
June 21, 2023 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : hsqldb
CVE ID : CVE-2023-1183
Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL
database engine, allowed the execution of spurious scripting commands in
.script and .log files. Hsqldb supports a "SCRIPT" keyword which is normally
used to record the commands input by the database admin to output such a
script. In combination with LibreOffice, an attacker could craft an odb
containing a "database/script" file which itself contained a SCRIPT command
where the contents of the file could be written to a new file whose location
was determined by the attacker.
For the oldstable distribution (bullseye), this problem has been fixed
in version 2.5.1-1+deb11u2.
For the stable distribution (bookworm), this problem has been fixed in
version 2.7.1-1+deb12u1.
We recommend that you upgrade your hsqldb packages.
For the detailed security status of hsqldb please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/hsqldb
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmSTb1tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSyRw//XKFjC4nEe3cC0vYfO6RvImJOauQahx63tWCfT/cMcsP/U6+4D41BIbG4
Ge1HUeV73Vz8Vq0+9w+8x/+HrlkLF7i6j1t4BpXyFIBttmQPS247RWtbOlwRlI+A
HwgyEnFNd5M6AcXYpcVVeuG4P0070PyTPg2ZD3FNqWPl5VbeMDk15a17SB8PpduD
8HkTySKMpQ54IXOvzPQJG1R3IDugl8+tAiF4hwIdaL0mMMNtWbvd+R/SXt+T0XNB
xyvzjbojsUz+s60mHU/4Tp+efVvn0TUjU0mQhGzBWENPL1mNElj41a6qetwhyJZ6
dL/DXPn2Z7gmstFFg+yJQ62KfWXl/KwtSFmlqlgaF314i/qnWkJqPpdZShDK5pIT
cf4OMUWFId1ZoJ6/Wbq3zRqLDjCOSoxLHID3jG8UspjoVtN2XcbEbTtmy0h6YTeH
T1xe+OPvYe1SBo8pZkI1z8UFa1+gbUTgbraF1fi+Oz8oP8MVexhbvKoL2gGjcJOv
50G1oy9P6JcDeEhIdMJeNJlDFoD/dI3V6DHLrskEs1/pP5jcozbSYvGSvm5IomKA
5GXJm336S1szk01PmtqPbJ81yp1ZKrScSywLwK9p0vWxqeP8fqduDW3o/JhXRp2A
KO5blMufbOh/w5E9ZiJQhuybgG9eSj4SD6zRTgvbF8MQL6wsx/s=
=UcJ1
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed