DEBIAN-CVE-2023-1521

Source
https://security-tracker.debian.org/tracker/CVE-2023-1521
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-1521.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2023-1521
Upstream
Published
2024-11-26T12:15:18Z
Modified
2025-09-30T05:16:03.477238Z
Summary
[none]
Details

On Linux the sccache client can execute arbitrary code with the privileges of a local sccache server, by preloading the code in a shared library passed to LD_PRELOAD. If the server is run as root (which is the default when installing the snap package https://snapcraft.io/sccache ), this means a user running the sccache client can get root privileges.

References

Affected packages

Debian:12 / sccache

Package

Name
sccache
Purl
pkg:deb/debian/sccache?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4.0~~pre6-1
0.4.0~~pre7-1
0.4.0~~pre8-1
0.4.0~~pre8-2
0.4.0~~pre8-3
0.4.0~~pre8-4
0.4.0~~pre8-5
0.4.0~~pre8-6
0.4.0~~pre8-7
0.4.0~~pre8-8
0.4.2-1
0.5.0-1
0.5.3-1
0.5.4-1
0.5.4-2
0.5.4-3
0.5.4-4
0.5.4-5
0.5.4-6
0.5.4-7
0.5.4-8
0.5.4-9
0.5.4-10
0.5.4-11
0.5.4-12
0.7.4-1
0.7.4-2
0.7.4-3
0.7.5-1
0.7.5-2
0.7.6-1
0.7.7-1
0.7.7-2
0.8.0-1
0.8.0-2
0.8.0-3
0.8.1-1
0.8.1-2
0.8.1-3
0.8.1-4
0.8.1-5
0.8.1-6
0.8.1-7
0.8.1-8
0.8.2-1
0.8.2-2
0.9.0-1
0.9.0-2
0.9.0-3
0.9.1-1
0.9.1-2
0.9.1-3
0.10.0-1
0.10.0-2
0.10.0-3
0.10.0-4
0.10.0-5
0.10.0-6
0.10.0-7
0.10.0-8
0.10.0-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / sccache

Package

Name
sccache
Purl
pkg:deb/debian/sccache?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / sccache

Package

Name
sccache
Purl
pkg:deb/debian/sccache?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}