[manjaro-security] [ASA-202103-23] dotnet-sdk-3.1: arbitrary code execution
Morten Linderud via arch-security
arch-security at lists.archlinux.org
Fri Mar 26 21:13:26 CET 2021
Arch Linux Security Advisory ASA-202103-23
==========================================
Severity: High
Date : 2021-03-25
CVE-ID : CVE-2021-26701
Package : dotnet-sdk-3.1
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1701
Summary
=======
The package dotnet-sdk-3.1 before version 3.1.13.sdk113-1 is vulnerable
to arbitrary code execution.
Resolution
==========
Upgrade to 3.1.13.sdk113-1.
# pacman -Syu "dotnet-sdk-3.1>=3.1.13.sdk113-1"
The problem has been fixed upstream in version 3.1.13.sdk113.
Workaround
==========
None.
Description
===========
A remote code execution vulnerability exists in .NET 5.0 before Runtime
5.0.4 and SDK 5.0.104 as well as .NET Core 3.1 before Runtime 3.1.13
and SDK 3.1.113 due to how text encoding is performed in the
System.Text.Encodings.Web package, caused by a buffer overrun.
Impact
======
An attacker can execute arbitrary code by abusing the text encoding.
References
==========
https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701
https://github.com/dotnet/announcements/issues/178
https://security.archlinux.org/CVE-2021-26701
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20210326/c922f67b/attachment.sig>
More information about the manjaro-security
mailing list