The daemon in P3Scan 3.0_rc1 and earlier creates a p3scan.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for p3scan.pid modification before a root script executes a kill cat /pathname/p3scan.pid
command, as demonstrated by etc/init.d/p3scan.
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
Name | Vendor | Start Version | End Version |
---|---|---|---|
P3scan | P3scan_project | * | 3.0 (including) |
P3scan | Ubuntu | artful | * |
P3scan | Ubuntu | esm-apps/xenial | * |
P3scan | Ubuntu | trusty | * |
P3scan | Ubuntu | upstream | * |
P3scan | Ubuntu | xenial | * |
P3scan | Ubuntu | zesty | * |