CVE-2014-9862
Publication date 22 July 2016
Last updated 25 August 2025
Ubuntu priority
Description
Integer signedness error in bspatch.c in bspatch in bsdiff, as used in Apple OS X before 10.11.6 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted patch file.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| bsdiff | 20.04 LTS focal |
Not affected
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 4.3-15+deb8u1build0.16.04.1
|
|
| 14.04 LTS trusty | Not in release | |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4500-1
- bsdiff vulnerabilities
- 15 September 2020
Other references
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
- https://android.googlesource.com/platform/external/bsdiff/+/4d054795b673855e3a7556c6f2f7ab99ca509998
- https://bugs.chromium.org/p/chromium/issues/detail?id=372525
- https://chromium.googlesource.com/chromiumos/third_party/bsdiff/+/d0307d1711bd74e51b783a49f9160775aa22e659
- https://support.apple.com/HT206903
- https://www.cve.org/CVERecord?id=CVE-2014-9862