UBUNTU-CVE-2020-15703

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2020-15703
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-15703.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2020-15703
Upstream
Downstream
Related
Published
2020-09-24T00:00:00Z
Modified
2026-02-04T04:39:07.067217Z
Severity
  • 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.

References

Affected packages

Ubuntu:16.04:LTS / aptdaemon

Package

Name
aptdaemon
Purl
pkg:deb/ubuntu/aptdaemon@1.1.1+bzr982-0ubuntu14.4?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1+bzr982-0ubuntu14.4

Affected versions

1.*
1.1.1+bzr982-0ubuntu14
1.1.1+bzr982-0ubuntu14.1
1.1.1+bzr982-0ubuntu14.2
1.1.1+bzr982-0ubuntu14.3

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.1.1+bzr982-0ubuntu14.4",
            "binary_name": "aptdaemon"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu14.4",
            "binary_name": "aptdaemon-data"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu14.4",
            "binary_name": "python-aptdaemon"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu14.4",
            "binary_name": "python-aptdaemon.gtk3widgets"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu14.4",
            "binary_name": "python3-aptdaemon"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu14.4",
            "binary_name": "python3-aptdaemon.gtk3widgets"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu14.4",
            "binary_name": "python3-aptdaemon.pkcompat"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu14.4",
            "binary_name": "python3-aptdaemon.test"
        }
    ],
    "availability": "No subscription required"
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-15703.json"

Ubuntu:18.04:LTS / aptdaemon

Package

Name
aptdaemon
Purl
pkg:deb/ubuntu/aptdaemon@1.1.1+bzr982-0ubuntu19.4?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1+bzr982-0ubuntu19.4

Affected versions

1.*
1.1.1+bzr982-0ubuntu17
1.1.1+bzr982-0ubuntu19
1.1.1+bzr982-0ubuntu19.1
1.1.1+bzr982-0ubuntu19.2
1.1.1+bzr982-0ubuntu19.3

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.1.1+bzr982-0ubuntu19.4",
            "binary_name": "aptdaemon"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu19.4",
            "binary_name": "aptdaemon-data"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu19.4",
            "binary_name": "python-aptdaemon"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu19.4",
            "binary_name": "python-aptdaemon.gtk3widgets"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu19.4",
            "binary_name": "python3-aptdaemon"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu19.4",
            "binary_name": "python3-aptdaemon.gtk3widgets"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu19.4",
            "binary_name": "python3-aptdaemon.test"
        }
    ],
    "availability": "No subscription required"
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-15703.json"

Ubuntu:20.04:LTS / aptdaemon

Package

Name
aptdaemon
Purl
pkg:deb/ubuntu/aptdaemon@1.1.1+bzr982-0ubuntu32.2?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1+bzr982-0ubuntu32.2

Affected versions

1.*
1.1.1+bzr982-0ubuntu28
1.1.1+bzr982-0ubuntu30
1.1.1+bzr982-0ubuntu31
1.1.1+bzr982-0ubuntu32
1.1.1+bzr982-0ubuntu32.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.1.1+bzr982-0ubuntu32.2",
            "binary_name": "aptdaemon"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu32.2",
            "binary_name": "aptdaemon-data"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu32.2",
            "binary_name": "python3-aptdaemon"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu32.2",
            "binary_name": "python3-aptdaemon.gtk3widgets"
        },
        {
            "binary_version": "1.1.1+bzr982-0ubuntu32.2",
            "binary_name": "python3-aptdaemon.test"
        }
    ],
    "availability": "No subscription required"
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-15703.json"