| Name | CVE-2016-5397 |
| Description | The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 894577 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| thrift (PTS) | buster | 0.11.0-4 | fixed |
| bullseye | 0.13.0-6 | fixed |
| bookworm | 0.17.0-2 | fixed |
| sid, trixie | 0.19.0-2.1 | fixed |
| thrift-compiler (PTS) | jessie | 0.9.1-2 | vulnerable |
| stretch | 0.9.1-2.1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| thrift | source | experimental | 0.10.0-1 | unimportant | | |
| thrift | source | (unstable) | 0.11.0-3 | unimportant | | |
| thrift-compiler | source | (unstable) | (unfixed) | unimportant | | 894577 |
Notes
https://issues.apache.org/jira/browse/THRIFT-3893
https://github.com/apache/thrift/commit/2007783e874d524a46b818598a45078448ecc53e
Fixed in 0.10.0 upstream, and in experimental src:thrift/0.10.0-1 is present
src:thrift only present in experimental
Go bindings only enabled in 0.9.3-2 (not yet in unstable)
Only ever affected src:thrift in experimental, and fixed in src:thrift/0.10.0-1
so any future upload of thrift to unstable can mark this item as <not-affected>
(fixed before the initial upload to Debian unstable)