Debian Security Advisory

DSA-4208-1 procps -- security update

Date Reported:
22 May 2018
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 899170.
In Mitre's CVE dictionary: CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126.
More information:

The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2018-1122

    top read its configuration from the current working directory if no $HOME was configured. If top were started from a directory writable by the attacker (such as /tmp) this could result in local privilege escalation.

  • CVE-2018-1123

    Denial of service against the ps invocation of another user.

  • CVE-2018-1124

    An integer overflow in the file2strvec() function of libprocps could result in local privilege escalation.

  • CVE-2018-1125

    A stack-based buffer overflow in pgrep could result in denial of service for a user using pgrep for inspecting a specially crafted process.

  • CVE-2018-1126

    Incorrect integer size parameters used in wrappers for standard C allocators could cause integer truncation and lead to integer overflow issues.

For the oldstable distribution (jessie), these problems have been fixed in version 2:3.3.9-9+deb8u1.

For the stable distribution (stretch), these problems have been fixed in version 2:3.3.12-3+deb9u1.

We recommend that you upgrade your procps packages.

For the detailed security status of procps please refer to its security tracker page at: