cbcvebase.
CVE-2021-3939
published 2021-11-17

CVE-2021-3939: Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static…

high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1.

Affected

12 ranges
VendorProductVersion rangeFixed in
canonicalaccountsservice>= 0 < 0.6.55-0ubuntu12~20.04.50.6.55-0ubuntu12~20.04.5
canonicalaccountsservice>= 0 < 0.6.55-3ubuntu20.6.55-3ubuntu2
canonicalaccountsservice>= 0.6.55-0ubuntu12\~20.04 < 0.6.55-0ubuntu12\~20.050.6.55-0ubuntu12\~20.05
canonicalaccountsservice>= 0.6.55-0ubuntu13 < 0.6.55-0ubuntu13.30.6.55-0ubuntu13.3
canonicalaccountsservice>= 0.6.55-0ubuntu14 < 0.6.55-0ubuntu14.10.6.55-0ubuntu14.1
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianaccountsservice
ubuntuaccountsservice>= 0.6.55-0ubuntu12~20.04 < 0.6.55-0ubuntu12~20.04.50.6.55-0ubuntu12~20.04.5
ubuntuaccountsservice>= 0.6.55-0ubuntu13 < 0.6.55-0ubuntu13.30.6.55-0ubuntu13.3
ubuntuaccountsservice>= 0.6.55-0ubuntu14 < 0.6.55-0ubuntu14.10.6.55-0ubuntu14.1

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH