[ASA-202103-22] dotnet-runtime-3.1: arbitrary code execution
Arch Linux Security Advisory ASA-202103-22 ========================================== Severity: High Date : 2021-03-25 CVE-ID : CVE-2021-26701 Package : dotnet-runtime-3.1 Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1701 Summary ======= The package dotnet-runtime-3.1 before version 3.1.13.sdk113-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 3.1.13.sdk113-1. # pacman -Syu "dotnet-runtime-3.1>=3.1.13.sdk113-1" The problem has been fixed upstream in version 3.1.13.sdk113. Workaround ========== None. Description =========== A remote code execution vulnerability exists in .NET 5.0 before Runtime 5.0.4 and SDK 5.0.104 as well as .NET Core 3.1 before Runtime 3.1.13 and SDK 3.1.113 due to how text encoding is performed in the System.Text.Encodings.Web package, caused by a buffer overrun. Impact ====== An attacker can execute arbitrary code by abusing the text encoding. References ========== https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701 https://github.com/dotnet/announcements/issues/178 https://security.archlinux.org/CVE-2021-26701
participants (1)
-
Morten Linderud