1. Ubuntu Security Notices
  2. USN-7117-1

USN-7117-1: needrestart and Module::ScanDeps vulnerabilities

Publication date

19 November 2024

Overview

Several security issues were fixed in libmodule-scandeps-perl, needrestart.

Releases

Packages

Details

Qualys discovered that needrestart passed unsanitized data to a library
(libmodule-scandeps-perl) which expects safe input. A local attacker could
possibly use this issue to execute arbitrary code as root.
(CVE-2024-11003)

Qualys discovered that the library libmodule-scandeps-perl incorrectly
parsed perl code. This could allow a local attacker to execute arbitrary
shell commands. (CVE-2024-10224)

Qualys discovered that needrestart incorrectly used the PYTHONPATH
environment variable to spawn a new Python interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48990)

Qualys discovered that needrestart incorrectly checked the path to the
Python interpreter. A local attacker could possibly use this issue to win
a race condition and execute arbitrary code as...

Qualys discovered that needrestart passed unsanitized data to a library
(libmodule-scandeps-perl) which expects safe input. A local attacker could
possibly use this issue to execute arbitrary code as root.
(CVE-2024-11003)

Qualys discovered that the library libmodule-scandeps-perl incorrectly
parsed perl code. This could allow a local attacker to execute arbitrary
shell commands. (CVE-2024-10224)

Qualys discovered that needrestart incorrectly used the PYTHONPATH
environment variable to spawn a new Python interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48990)

Qualys discovered that needrestart incorrectly checked the path to the
Python interpreter. A local attacker could possibly use this issue to win
a race condition and execute arbitrary code as root. (CVE-2024-48991)

Qualys discovered that needrestart incorrectly used the RUBYLIB
environment variable to spawn a new Ruby interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48992)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
24.10 oracular libmodule-scandeps-perl –  1.35-1ubuntu0.24.10.1
needrestart –  3.6-8ubuntu4.2
24.04 noble libmodule-scandeps-perl –  1.35-1ubuntu0.24.04.1
needrestart –  3.6-7ubuntu4.3
22.04 jammy libmodule-scandeps-perl –  1.31-1ubuntu0.1
needrestart –  3.5-5ubuntu2.2
20.04 focal libmodule-scandeps-perl –  1.27-1ubuntu0.1~esm1  
needrestart –  3.4-6ubuntu0.1+esm1  
18.04 bionic libmodule-scandeps-perl –  1.24-1ubuntu0.1~esm1  
needrestart –  3.1-1ubuntu0.1+esm1  
16.04 xenial libmodule-scandeps-perl –  1.20-1ubuntu0.1~esm1  
needrestart –  2.6-1ubuntu0.1~esm1  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›