Skip to content

Instantly share code, notes, and snippets.

@jchauncey

jchauncey/debian-base-1.0.0

Created May 12, 2020 16:46
Download ZIP

Revisions

  1. Jonathan Chauncey created this gist May 12, 2020.
    529 changes: 529 additions & 0 deletions debian-base-1.0.0
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,529 @@
    2020-05-12T12:46:16.544-0400 INFO Detecting Debian vulnerabilities...

    k8s.gcr.io/debian-base:v1.0.0 (debian 9.8)
    ==========================================
    Total: 129 (UNKNOWN: 0, LOW: 86, MEDIUM: 27, HIGH: 16, CRITICAL: 0)

    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | apt | CVE-2011-3374 | LOW | 1.4.9 | | It was found that apt-key |
    | | | | | | in apt, all versions, do not |
    | | | | | | correctly... |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | coreutils | CVE-2016-2781 | | 8.26-3 | | coreutils: Non-privileged |
    | | | | | | session can escape to the |
    | | | | | | parent session in chroot |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2017-18018 | | | | coreutils: race condition |
    | | | | | | vulnerability in chown and |
    | | | | | | chgrp |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | gcc-6-base | CVE-2018-12886 | MEDIUM | 6.3.0-18+deb9u1 | | gcc: spilling of stack |
    | | | | | | protection address in |
    | | | | | | cfgexpand.c and function.c |
    | | | | | | leads to... |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | gpgv | CVE-2018-1000858 | | 2.1.18-8~deb9u4 | | gnupg2: Cross site |
    | | | | | | request forgery in dirmngr |
    | | | | | | resulting in an information |
    | | | | | | disclosure... |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2018-9234 | LOW | | | GnuPG: Unenforced |
    | | | | | | configuration allows |
    | | | | | | for apparently valid |
    | | | | | | certifications actually signed |
    | | | | | | by signing... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-14855 | | | | gnupg2: OpenPGP Key |
    | | | | | | Certification Forgeries with |
    | | | | | | SHA-1 |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | libapt-pkg5.0 | CVE-2011-3374 | | 1.4.9 | | It was found that apt-key |
    | | | | | | in apt, all versions, do not |
    | | | | | | correctly... |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | libbz2-1.0 | CVE-2019-12900 | HIGH | 1.0.6-8.1 | | bzip2: out-of-bounds write in |
    | | | | | | function BZ2_decompress |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | libc-bin | CVE-2018-1000001 | | 2.24-11+deb9u4 | | glibc: realpath() buffer |
    | | | | | | underflow when getcwd() |
    | | | | | | returns relative path allows |
    | | | | | | privilege escalation... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-6485 | | | | glibc: Integer overflow in |
    | | | | | | posix_memalign in memalign |
    | | | | | | functions |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-6551 | | | | glibc: integer overflow in |
    | | | | | | malloc functions |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-9169 | | | | glibc: regular-expression |
    | | | | | | match via proceed_next_node |
    | | | | | | in posix/regexec.c leads to |
    | | | | | | heap-based buffer over-read... |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2009-5155 | MEDIUM | | | glibc: parse_reg_exp in |
    | | | | | | posix/regcomp.c misparses |
    | | | | | | alternatives leading to denial |
    | | | | | | of service or... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2016-10739 | | | | glibc: getaddrinfo should |
    | | | | | | reject IP addresses with |
    | | | | | | trailing characters |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2017-12132 | | | | glibc: Fragmentation attacks |
    | | | | | | possible when EDNS0 is enabled |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-1751 | | | | glibc: array overflow in |
    | | | | | | backtrace functions for |
    | | | | | | powerpc |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-1752 | | | | glibc: use-after-free in |
    | | | | | | glob() function when expanding |
    | | | | | | ~user |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-6096 | | | | glibc: signed comparison |
    | | | | | | vulnerability in the ARMv7 |
    | | | | | | memcpy function |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: |
    | | | | | | De-recursivise regular |
    | | | | | | expression engine |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 |
    | | | | | | glibc: De-recursivise regular |
    | | | | | | expression engine |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2010-4756 | | | | glibc: glob implementation can |
    | | | | | | cause excessive CPU and memory |
    | | | | | | consumption due to... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2015-8985 | | | | glibc: potential denial of |
    | | | | | | service in pop_fail_stack() |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2016-10228 | | | | glibc: iconv program can |
    | | | | | | hang when invoked with the -c |
    | | | | | | option |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-20796 | | | | glibc: uncontrolled |
    | | | | | | recursion in function |
    | | | | | | check_dst_limits_calc_pos_1 in |
    | | | | | | posix/regexec.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010022 | | | | glibc: stack guard protection |
    | | | | | | bypass |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010023 | | | | glibc: running ldd on |
    | | | | | | malicious ELF leads to code |
    | | | | | | execution because of... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache |
    | | | | | | of thread stack and heap |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010025 | | | | glibc: information disclosure |
    | | | | | | of heap addresses of |
    | | | | | | pthread_created thread |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-19126 | | | | glibc: |
    | | | | | | LD_PREFER_MAP_32BIT_EXEC not |
    | | | | | | ignored in setuid binaries |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-6488 | | | | glibc: Incorrect attempt to |
    | | | | | | use a 64-bit register for |
    | | | | | | size_t in assembly... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-7309 | | | | glibc: memcmp function |
    | | | | | | incorrectly returns zero |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-9192 | | | | glibc: uncontrolled |
    | | | | | | recursion in function |
    | | | | | | check_dst_limits_calc_pos_1 in |
    | | | | | | posix/regexec.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-10029 | | | | glibc: stack corruption from |
    | | | | | | crafted input in cosl, sinl, |
    | | | | | | sincosl, and tanl... |
    +-------------------+---------------------+----------+ +-----------------+---------------------------------------------+
    | libc6 | CVE-2018-1000001 | HIGH | | | glibc: realpath() buffer |
    | | | | | | underflow when getcwd() |
    | | | | | | returns relative path allows |
    | | | | | | privilege escalation... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-6485 | | | | glibc: Integer overflow in |
    | | | | | | posix_memalign in memalign |
    | | | | | | functions |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-6551 | | | | glibc: integer overflow in |
    | | | | | | malloc functions |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-9169 | | | | glibc: regular-expression |
    | | | | | | match via proceed_next_node |
    | | | | | | in posix/regexec.c leads to |
    | | | | | | heap-based buffer over-read... |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2009-5155 | MEDIUM | | | glibc: parse_reg_exp in |
    | | | | | | posix/regcomp.c misparses |
    | | | | | | alternatives leading to denial |
    | | | | | | of service or... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2016-10739 | | | | glibc: getaddrinfo should |
    | | | | | | reject IP addresses with |
    | | | | | | trailing characters |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2017-12132 | | | | glibc: Fragmentation attacks |
    | | | | | | possible when EDNS0 is enabled |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-1751 | | | | glibc: array overflow in |
    | | | | | | backtrace functions for |
    | | | | | | powerpc |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-1752 | | | | glibc: use-after-free in |
    | | | | | | glob() function when expanding |
    | | | | | | ~user |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-6096 | | | | glibc: signed comparison |
    | | | | | | vulnerability in the ARMv7 |
    | | | | | | memcpy function |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: |
    | | | | | | De-recursivise regular |
    | | | | | | expression engine |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 |
    | | | | | | glibc: De-recursivise regular |
    | | | | | | expression engine |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2010-4756 | | | | glibc: glob implementation can |
    | | | | | | cause excessive CPU and memory |
    | | | | | | consumption due to... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2015-8985 | | | | glibc: potential denial of |
    | | | | | | service in pop_fail_stack() |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2016-10228 | | | | glibc: iconv program can |
    | | | | | | hang when invoked with the -c |
    | | | | | | option |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-20796 | | | | glibc: uncontrolled |
    | | | | | | recursion in function |
    | | | | | | check_dst_limits_calc_pos_1 in |
    | | | | | | posix/regexec.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010022 | | | | glibc: stack guard protection |
    | | | | | | bypass |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010023 | | | | glibc: running ldd on |
    | | | | | | malicious ELF leads to code |
    | | | | | | execution because of... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache |
    | | | | | | of thread stack and heap |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010025 | | | | glibc: information disclosure |
    | | | | | | of heap addresses of |
    | | | | | | pthread_created thread |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-19126 | | | | glibc: |
    | | | | | | LD_PREFER_MAP_32BIT_EXEC not |
    | | | | | | ignored in setuid binaries |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-6488 | | | | glibc: Incorrect attempt to |
    | | | | | | use a 64-bit register for |
    | | | | | | size_t in assembly... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-7309 | | | | glibc: memcmp function |
    | | | | | | incorrectly returns zero |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-9192 | | | | glibc: uncontrolled |
    | | | | | | recursion in function |
    | | | | | | check_dst_limits_calc_pos_1 in |
    | | | | | | posix/regexec.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-10029 | | | | glibc: stack corruption from |
    | | | | | | crafted input in cosl, sinl, |
    | | | | | | sincosl, and tanl... |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | libcomerr2 | CVE-2019-5094 | MEDIUM | 1.43.4-2 | 1.43.4-2+deb9u1 | e2fsprogs: crafted |
    | | | | | | ext4 partition leads to |
    | | | | | | out-of-bounds write |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-5188 | | | | e2fsprogs: Out-of-bounds write |
    | | | | | | in e2fsck/rehash.c |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | libelf1 | CVE-2018-16062 | | 0.168-1 | | elfutils: Heap-based buffer over-read in |
    | | | | | | libdw/dwarf_getaranges.c:dwarf_getaranges() |
    | | | | | | via crafted file |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-18310 | | | | elfutils: invalid memory |
    | | | | | | address dereference |
    | | | | | | was discovered in |
    | | | | | | dwfl_segment_report_module.c |
    | | | | | | in libdwfl |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2018-16402 | LOW | | | elfutils: Double-free due |
    | | | | | | to double decompression |
    | | | | | | of sections in crafted ELF |
    | | | | | | causes... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-16403 | | | | elfutils: Heap-based |
    | | | | | | buffer over-read in |
    | | | | | | libdw/dwarf_getabbrev.c and |
    | | | | | | libwd/dwarf_hasattr.c causes |
    | | | | | | crash |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-18520 | | | | elfutils: eu-size cannot |
    | | | | | | handle recursive ar files |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-18521 | | | | elfutils: Divide-by-zero in |
    | | | | | | arlib_add_symbols function in |
    | | | | | | arlib.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-7148 | | | | elfutils: excessive memory |
    | | | | | | allocation in read_long_names |
    | | | | | | in elf_begin.c in libelf |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-7149 | | | | elfutils: heap-based buffer |
    | | | | | | over-read in read_srclines in |
    | | | | | | dwarf_getsrclines.c in libdw |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-7150 | | | | elfutils: segmentation |
    | | | | | | fault in elf64_xlatetom in |
    | | | | | | libelf/elf32_xlatetom.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-7664 | | | | elfutils: out of bound |
    | | | | | | write in elf_cvt_note in |
    | | | | | | libelf/note_xlate.h |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-7665 | | | | elfutils: heap-based |
    | | | | | | buffer over-read in |
    | | | | | | function elf32_xlatetom in |
    | | | | | | elf32_xlatetom.c |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | libgcc1 | CVE-2018-12886 | MEDIUM | 6.3.0-18+deb9u1 | | gcc: spilling of stack |
    | | | | | | protection address in |
    | | | | | | cfgexpand.c and function.c |
    | | | | | | leads to... |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | libgcrypt20 | CVE-2019-12904 | | 1.7.6-2+deb9u3 | | Libgcrypt: physical addresses |
    | | | | | | being available to other |
    | | | | | | processes leads to a |
    | | | | | | flush-and-reload... |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2018-6829 | LOW | | | libgcrypt: ElGamal |
    | | | | | | implementation doesn't |
    | | | | | | have semantic security |
    | | | | | | due to incorrectly encoded |
    | | | | | | plaintexts... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-13627 | | | | libgcrypt: ECDSA timing |
    | | | | | | attack in the libgcrypt20 |
    | | | | | | cryptographic library |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | liblz4-1 | CVE-2019-17543 | | 0.0~r131-2 | | lz4: heap-based buffer |
    | | | | | | overflow in LZ4_write32 |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | libnettle6 | CVE-2018-16869 | | 3.3-1 | | nettle: Leaky data conversion |
    | | | | | | exposing a manager oracle |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | libpcre3 | CVE-2017-11164 | | 2:8.39-3 | | pcre: OP_KETRMAX feature |
    | | | | | | in the match function in |
    | | | | | | pcre_exec.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2017-16231 | | | | pcre: self-recursive call in |
    | | | | | | match() in pcre_exec.c leads |
    | | | | | | to denial of service... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2017-7245 | | | | pcre: stack-based |
    | | | | | | buffer overflow write in |
    | | | | | | pcre32_copy_substring |
    + +---------------------+ + +-----------------+ +
    | | CVE-2017-7246 | | | | |
    | | | | | | |
    | | | | | | |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | libstdc++6 | CVE-2018-12886 | MEDIUM | 6.3.0-18+deb9u1 | | gcc: spilling of stack |
    | | | | | | protection address in |
    | | | | | | cfgexpand.c and function.c |
    | | | | | | leads to... |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | libtinfo5 | CVE-2018-19211 | LOW | 6.0+20161126-1+deb9u2 | | ncurses: Null pointer |
    | | | | | | dereference at function |
    | | | | | | _nc_parse_entry in |
    | | | | | | parse_entry.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-17594 | | | | ncurses: heap-based buffer |
    | | | | | | overflow in the _nc_find_entry |
    | | | | | | function in tinfo/comp_hash.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-17595 | | | | ncurses: heap-based buffer |
    | | | | | | overflow in the fmt_entry |
    | | | | | | function in tinfo/comp_hash.c |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | libuuid1 | CVE-2016-2779 | HIGH | 2.29.2-1+deb9u1 | | util-linux: runuser tty hijack |
    | | | | | | via TIOCSTI ioctl |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | login | CVE-2017-12424 | | 1:4.4-4.1 | | shadow-utils: Buffer overflow |
    | | | | | | via newusers tool |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2007-5686 | LOW | | | initscripts in rPath Linux 1 |
    | | | | | | sets insecure permissions for |
    | | | | | | the /var/log/btmp file,... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2013-4235 | | | | shadow-utils: TOCTOU race |
    | | | | | | conditions by copying and |
    | | | | | | removing directory trees |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-7169 | | | | shadow-utils: newgidmap |
    | | | | | | allows unprivileged user |
    | | | | | | to drop supplementary |
    | | | | | | groups potentially allowing |
    | | | | | | privilege... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-19882 | | | | shadow-utils: local users |
    | | | | | | can obtain root access |
    | | | | | | because setuid programs are |
    | | | | | | misconfigured... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | TEMP-0628843-DBAD28 | | | | |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | multiarch-support | CVE-2018-1000001 | HIGH | 2.24-11+deb9u4 | | glibc: realpath() buffer |
    | | | | | | underflow when getcwd() |
    | | | | | | returns relative path allows |
    | | | | | | privilege escalation... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-6485 | | | | glibc: Integer overflow in |
    | | | | | | posix_memalign in memalign |
    | | | | | | functions |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-6551 | | | | glibc: integer overflow in |
    | | | | | | malloc functions |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-9169 | | | | glibc: regular-expression |
    | | | | | | match via proceed_next_node |
    | | | | | | in posix/regexec.c leads to |
    | | | | | | heap-based buffer over-read... |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2009-5155 | MEDIUM | | | glibc: parse_reg_exp in |
    | | | | | | posix/regcomp.c misparses |
    | | | | | | alternatives leading to denial |
    | | | | | | of service or... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2016-10739 | | | | glibc: getaddrinfo should |
    | | | | | | reject IP addresses with |
    | | | | | | trailing characters |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2017-12132 | | | | glibc: Fragmentation attacks |
    | | | | | | possible when EDNS0 is enabled |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-1751 | | | | glibc: array overflow in |
    | | | | | | backtrace functions for |
    | | | | | | powerpc |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-1752 | | | | glibc: use-after-free in |
    | | | | | | glob() function when expanding |
    | | | | | | ~user |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-6096 | | | | glibc: signed comparison |
    | | | | | | vulnerability in the ARMv7 |
    | | | | | | memcpy function |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: |
    | | | | | | De-recursivise regular |
    | | | | | | expression engine |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 |
    | | | | | | glibc: De-recursivise regular |
    | | | | | | expression engine |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2010-4756 | | | | glibc: glob implementation can |
    | | | | | | cause excessive CPU and memory |
    | | | | | | consumption due to... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2015-8985 | | | | glibc: potential denial of |
    | | | | | | service in pop_fail_stack() |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2016-10228 | | | | glibc: iconv program can |
    | | | | | | hang when invoked with the -c |
    | | | | | | option |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-20796 | | | | glibc: uncontrolled |
    | | | | | | recursion in function |
    | | | | | | check_dst_limits_calc_pos_1 in |
    | | | | | | posix/regexec.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010022 | | | | glibc: stack guard protection |
    | | | | | | bypass |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010023 | | | | glibc: running ldd on |
    | | | | | | malicious ELF leads to code |
    | | | | | | execution because of... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache |
    | | | | | | of thread stack and heap |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-1010025 | | | | glibc: information disclosure |
    | | | | | | of heap addresses of |
    | | | | | | pthread_created thread |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-19126 | | | | glibc: |
    | | | | | | LD_PREFER_MAP_32BIT_EXEC not |
    | | | | | | ignored in setuid binaries |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-6488 | | | | glibc: Incorrect attempt to |
    | | | | | | use a 64-bit register for |
    | | | | | | size_t in assembly... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-7309 | | | | glibc: memcmp function |
    | | | | | | incorrectly returns zero |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-9192 | | | | glibc: uncontrolled |
    | | | | | | recursion in function |
    | | | | | | check_dst_limits_calc_pos_1 in |
    | | | | | | posix/regexec.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2020-10029 | | | | glibc: stack corruption from |
    | | | | | | crafted input in cosl, sinl, |
    | | | | | | sincosl, and tanl... |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    | passwd | CVE-2017-12424 | HIGH | 1:4.4-4.1 | | shadow-utils: Buffer overflow |
    | | | | | | via newusers tool |
    + +---------------------+----------+ +-----------------+---------------------------------------------+
    | | CVE-2007-5686 | LOW | | | initscripts in rPath Linux 1 |
    | | | | | | sets insecure permissions for |
    | | | | | | the /var/log/btmp file,... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2013-4235 | | | | shadow-utils: TOCTOU race |
    | | | | | | conditions by copying and |
    | | | | | | removing directory trees |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-7169 | | | | shadow-utils: newgidmap |
    | | | | | | allows unprivileged user |
    | | | | | | to drop supplementary |
    | | | | | | groups potentially allowing |
    | | | | | | privilege... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-19882 | | | | shadow-utils: local users |
    | | | | | | can obtain root access |
    | | | | | | because setuid programs are |
    | | | | | | misconfigured... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | TEMP-0628843-DBAD28 | | | | |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | perl-base | CVE-2011-4116 | | 5.24.1-3+deb9u5 | | perl: File::Temp insecure |
    | | | | | | temporary file handling |
    +-------------------+---------------------+ +-----------------------+-----------------+---------------------------------------------+
    | tar | CVE-2005-2541 | | 1.29b-1.1 | | Tar 1.15.1 does not properly |
    | | | | | | warn the user when extracting |
    | | | | | | setuid or... |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2018-20482 | | | | tar: Infinite read loop in |
    | | | | | | sparse_dump_region function in |
    | | | | | | sparse.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | CVE-2019-9923 | | | | tar: null-pointer dereference |
    | | | | | | in pax_decode_header in |
    | | | | | | sparse.c |
    + +---------------------+ + +-----------------+---------------------------------------------+
    | | TEMP-0290435-0B57B5 | | | | |
    +-------------------+---------------------+----------+-----------------------+-----------------+---------------------------------------------+
    327 changes: 327 additions & 0 deletions debian-base-2.1.0
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,327 @@
    2020-05-11T16:16:11.577-0400 INFO Detecting Debian vulnerabilities...

    us.gcr.io/k8s-artifacts-prod/build-image/debian-base-amd64:v2.1.0 (debian 10.3)
    ===============================================================================
    Total: 77 (UNKNOWN: 0, LOW: 17, MEDIUM: 54, HIGH: 5, CRITICAL: 1)

    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | apt | CVE-2011-3374 | MEDIUM | 1.8.2 | | It was found that apt-key |
    | | | | | | in apt, all versions, do not |
    | | | | | | correctly... |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | coreutils | CVE-2016-2781 | LOW | 8.30-3 | | coreutils: Non-privileged |
    | | | | | | session can escape to the |
    | | | | | | parent session in chroot |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2017-18018 | | | | coreutils: race condition |
    | | | | | | vulnerability in chown and |
    | | | | | | chgrp |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | gcc-8-base | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack |
    | | | | | | protection address in |
    | | | | | | cfgexpand.c and function.c |
    | | | | | | leads to... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG |
    | | | | | | intrinsic produces repeated |
    | | | | | | output |
    +---------------+---------------------+ +-------------------+---------------+--------------------------------+
    | gpgv | CVE-2019-14855 | | 2.2.12-1+deb10u1 | | gnupg2: OpenPGP Key |
    | | | | | | Certification Forgeries with |
    | | | | | | SHA-1 |
    +---------------+---------------------+ +-------------------+---------------+--------------------------------+
    | libapt-pkg5.0 | CVE-2011-3374 | | 1.8.2 | | It was found that apt-key |
    | | | | | | in apt, all versions, do not |
    | | | | | | correctly... |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | libc-bin | CVE-2019-1010022 | HIGH | 2.28-10 | | glibc: stack guard protection |
    | | | | | | bypass |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2010-4051 | MEDIUM | | | CVE-2010-4052 glibc: |
    | | | | | | De-recursivise regular |
    | | | | | | expression engine |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 |
    | | | | | | glibc: De-recursivise regular |
    | | | | | | expression engine |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2010-4756 | | | | glibc: glob implementation can |
    | | | | | | cause excessive CPU and memory |
    | | | | | | consumption due to... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2016-10228 | | | | glibc: iconv program can |
    | | | | | | hang when invoked with the -c |
    | | | | | | option |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2018-20796 | | | | glibc: uncontrolled |
    | | | | | | recursion in function |
    | | | | | | check_dst_limits_calc_pos_1 in |
    | | | | | | posix/regexec.c |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-1010023 | | | | glibc: running ldd on |
    | | | | | | malicious ELF leads to code |
    | | | | | | execution because of... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache |
    | | | | | | of thread stack and heap |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-1010025 | | | | glibc: information disclosure |
    | | | | | | of heap addresses of |
    | | | | | | pthread_created thread |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-9192 | | | | glibc: uncontrolled |
    | | | | | | recursion in function |
    | | | | | | check_dst_limits_calc_pos_1 in |
    | | | | | | posix/regexec.c |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2020-1751 | | | | glibc: array overflow in |
    | | | | | | backtrace functions for |
    | | | | | | powerpc |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2020-1752 | | | | glibc: use-after-free in |
    | | | | | | glob() function when expanding |
    | | | | | | ~user |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2020-6096 | | | | glibc: signed comparison |
    | | | | | | vulnerability in the ARMv7 |
    | | | | | | memcpy function |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2019-19126 | LOW | | | glibc: |
    | | | | | | LD_PREFER_MAP_32BIT_EXEC not |
    | | | | | | ignored in setuid binaries |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2020-10029 | | | | glibc: stack corruption from |
    | | | | | | crafted input in cosl, sinl, |
    | | | | | | sincosl, and tanl... |
    +---------------+---------------------+----------+ +---------------+--------------------------------+
    | libc6 | CVE-2019-1010022 | HIGH | | | glibc: stack guard protection |
    | | | | | | bypass |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2010-4051 | MEDIUM | | | CVE-2010-4052 glibc: |
    | | | | | | De-recursivise regular |
    | | | | | | expression engine |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 |
    | | | | | | glibc: De-recursivise regular |
    | | | | | | expression engine |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2010-4756 | | | | glibc: glob implementation can |
    | | | | | | cause excessive CPU and memory |
    | | | | | | consumption due to... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2016-10228 | | | | glibc: iconv program can |
    | | | | | | hang when invoked with the -c |
    | | | | | | option |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2018-20796 | | | | glibc: uncontrolled |
    | | | | | | recursion in function |
    | | | | | | check_dst_limits_calc_pos_1 in |
    | | | | | | posix/regexec.c |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-1010023 | | | | glibc: running ldd on |
    | | | | | | malicious ELF leads to code |
    | | | | | | execution because of... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache |
    | | | | | | of thread stack and heap |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-1010025 | | | | glibc: information disclosure |
    | | | | | | of heap addresses of |
    | | | | | | pthread_created thread |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-9192 | | | | glibc: uncontrolled |
    | | | | | | recursion in function |
    | | | | | | check_dst_limits_calc_pos_1 in |
    | | | | | | posix/regexec.c |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2020-1751 | | | | glibc: array overflow in |
    | | | | | | backtrace functions for |
    | | | | | | powerpc |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2020-1752 | | | | glibc: use-after-free in |
    | | | | | | glob() function when expanding |
    | | | | | | ~user |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2020-6096 | | | | glibc: signed comparison |
    | | | | | | vulnerability in the ARMv7 |
    | | | | | | memcpy function |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2019-19126 | LOW | | | glibc: |
    | | | | | | LD_PREFER_MAP_32BIT_EXEC not |
    | | | | | | ignored in setuid binaries |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2020-10029 | | | | glibc: stack corruption from |
    | | | | | | crafted input in cosl, sinl, |
    | | | | | | sincosl, and tanl... |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | libgcc1 | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack |
    | | | | | | protection address in |
    | | | | | | cfgexpand.c and function.c |
    | | | | | | leads to... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG |
    | | | | | | intrinsic produces repeated |
    | | | | | | output |
    +---------------+---------------------+ +-------------------+---------------+--------------------------------+
    | libgcrypt20 | CVE-2018-6829 | | 1.8.4-5 | | libgcrypt: ElGamal |
    | | | | | | implementation doesn't |
    | | | | | | have semantic security |
    | | | | | | due to incorrectly encoded |
    | | | | | | plaintexts... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-12904 | | | | Libgcrypt: physical addresses |
    | | | | | | being available to other |
    | | | | | | processes leads to a |
    | | | | | | flush-and-reload... |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2019-13627 | LOW | | | libgcrypt: ECDSA timing |
    | | | | | | attack in the libgcrypt20 |
    | | | | | | cryptographic library |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | libgnutls30 | CVE-2011-3389 | MEDIUM | 3.6.7-4+deb10u3 | | HTTPS: block-wise |
    | | | | | | chosen-plaintext attack |
    | | | | | | against SSL/TLS (BEAST) |
    +---------------+---------------------+ +-------------------+---------------+--------------------------------+
    | libidn2-0 | CVE-2019-12290 | | 2.0.5-1+deb10u1 | | GNU libidn2 before 2.2.0 |
    | | | | | | fails to perform the roundtrip |
    | | | | | | checks specified in... |
    +---------------+---------------------+ +-------------------+---------------+--------------------------------+
    | liblz4-1 | CVE-2019-17543 | | 1.8.3-1 | | lz4: heap-based buffer |
    | | | | | | overflow in LZ4_write32 |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | libpcre3 | CVE-2017-11164 | HIGH | 2:8.39-12 | | pcre: OP_KETRMAX feature |
    | | | | | | in the match function in |
    | | | | | | pcre_exec.c |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2017-7245 | MEDIUM | | | pcre: stack-based |
    | | | | | | buffer overflow write in |
    | | | | | | pcre32_copy_substring |
    + +---------------------+ + +---------------+ +
    | | CVE-2017-7246 | | | | |
    | | | | | | |
    | | | | | | |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2017-16231 | LOW | | | pcre: self-recursive call in |
    | | | | | | match() in pcre_exec.c leads |
    | | | | | | to denial of service... |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | libseccomp2 | CVE-2019-9893 | HIGH | 2.3.3-4 | | libseccomp: incorrect |
    | | | | | | generation of syscall filters |
    | | | | | | in libseccomp |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | libstdc++6 | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack |
    | | | | | | protection address in |
    | | | | | | cfgexpand.c and function.c |
    | | | | | | leads to... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG |
    | | | | | | intrinsic produces repeated |
    | | | | | | output |
    +---------------+---------------------+ +-------------------+---------------+--------------------------------+
    | libsystemd0 | CVE-2019-3843 | | 241-7~deb10u3 | | systemd: services with |
    | | | | | | DynamicUser can create |
    | | | | | | SUID/SGID binaries |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-3844 | | | | systemd: services with |
    | | | | | | DynamicUser can get new |
    | | | | | | privileges and create SGID |
    | | | | | | binaries... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2020-1712 | | | 241-7~deb10u4 | systemd: use-after-free when |
    | | | | | | asynchronous polkit queries |
    | | | | | | are performed |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition |
    | | | | | | when updating file permissions |
    | | | | | | and SELinux security |
    | | | | | | contexts... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-20386 | | | | systemd: a memory leak was |
    | | | | | | discovered in button_open in |
    | | | | | | login/logind-button.c when |
    | | | | | | udev... |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | libtasn1-6 | CVE-2018-1000654 | HIGH | 4.13-3 | | libtasn1: Infinite loop in |
    | | | | | | _asn1_expand_object_id(ptree) |
    | | | | | | leads to memory exhaustion |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | libudev1 | CVE-2019-3843 | MEDIUM | 241-7~deb10u3 | | systemd: services with |
    | | | | | | DynamicUser can create |
    | | | | | | SUID/SGID binaries |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-3844 | | | | systemd: services with |
    | | | | | | DynamicUser can get new |
    | | | | | | privileges and create SGID |
    | | | | | | binaries... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2020-1712 | | | 241-7~deb10u4 | systemd: use-after-free when |
    | | | | | | asynchronous polkit queries |
    | | | | | | are performed |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition |
    | | | | | | when updating file permissions |
    | | | | | | and SELinux security |
    | | | | | | contexts... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-20386 | | | | systemd: a memory leak was |
    | | | | | | discovered in button_open in |
    | | | | | | login/logind-button.c when |
    | | | | | | udev... |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | login | CVE-2007-5686 | MEDIUM | 1:4.5-1.1 | | initscripts in rPath Linux 1 |
    | | | | | | sets insecure permissions for |
    | | | | | | the /var/log/btmp file,... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2018-7169 | | | | shadow-utils: newgidmap |
    | | | | | | allows unprivileged user |
    | | | | | | to drop supplementary |
    | | | | | | groups potentially allowing |
    | | | | | | privilege... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-19882 | | | | shadow-utils: local users |
    | | | | | | can obtain root access |
    | | | | | | because setuid programs are |
    | | | | | | misconfigured... |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2013-4235 | LOW | | | shadow-utils: TOCTOU race |
    | | | | | | conditions by copying and |
    | | | | | | removing directory trees |
    + +---------------------+ + +---------------+--------------------------------+
    | | TEMP-0628843-DBAD28 | | | | |
    +---------------+---------------------+----------+ +---------------+--------------------------------+
    | passwd | CVE-2007-5686 | MEDIUM | | | initscripts in rPath Linux 1 |
    | | | | | | sets insecure permissions for |
    | | | | | | the /var/log/btmp file,... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2018-7169 | | | | shadow-utils: newgidmap |
    | | | | | | allows unprivileged user |
    | | | | | | to drop supplementary |
    | | | | | | groups potentially allowing |
    | | | | | | privilege... |
    + +---------------------+ + +---------------+--------------------------------+
    | | CVE-2019-19882 | | | | shadow-utils: local users |
    | | | | | | can obtain root access |
    | | | | | | because setuid programs are |
    | | | | | | misconfigured... |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2013-4235 | LOW | | | shadow-utils: TOCTOU race |
    | | | | | | conditions by copying and |
    | | | | | | removing directory trees |
    + +---------------------+ + +---------------+--------------------------------+
    | | TEMP-0628843-DBAD28 | | | | |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | perl-base | CVE-2011-4116 | MEDIUM | 5.28.1-6 | | perl: File::Temp insecure |
    | | | | | | temporary file handling |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+
    | tar | CVE-2005-2541 | CRITICAL | 1.30+dfsg-6 | | Tar 1.15.1 does not properly |
    | | | | | | warn the user when extracting |
    | | | | | | setuid or... |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | CVE-2019-9923 | MEDIUM | | | tar: null-pointer dereference |
    | | | | | | in pax_decode_header in |
    | | | | | | sparse.c |
    + +---------------------+----------+ +---------------+--------------------------------+
    | | TEMP-0290435-0B57B5 | LOW | | | |
    +---------------+---------------------+----------+-------------------+---------------+--------------------------------+