[USN-7210-1] .NET vulnerabilities

Ian Constantin ian.constantin at canonical.com
Thu Jan 16 15:02:19 UTC 2025


==========================================================================
Ubuntu Security Notice USN-7210-1
January 16, 2025

dotnet8, dotnet9 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in .NET.

Software Description:
- dotnet8: .NET CLI tools and runtime
- dotnet9: .NET CLI tools and runtime

Details:

It was discovered that .NET did not properly handle input provided to its
Convert.TryToHexString method. An attacker could possibly use this issue
to execute arbitrary code. (CVE-2025-21171)

It was discovered that .NET did not properly handle an integer overflow
when processing certain specially crafted files. An attacker could
possibly use this issue to execute arbitrary code. (CVE-2025-21172)

Daniel Plaisted and Noah Gilson discovered that .NET insecurely handled
temporary file usage which could result in malicious package dependency
injection. An attacker could possibly use this issue to elevate privileges.
(CVE-2025-21173)

It was discovered that .NET did not properly perform input data validation
when processing certain specially crafted files. An attacker could
possibly use this issue to execute arbitrary code. (CVE-2025-21176)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   aspnetcore-runtime-8.0          8.0.12-0ubuntu1~24.10.1
   aspnetcore-runtime-9.0          9.0.1-0ubuntu1~24.10.1
   dotnet-host-8.0                 8.0.12-0ubuntu1~24.10.1
   dotnet-host-9.0                 9.0.1-0ubuntu1~24.10.1
   dotnet-hostfxr-8.0              8.0.12-0ubuntu1~24.10.1
   dotnet-hostfxr-9.0              9.0.1-0ubuntu1~24.10.1
   dotnet-runtime-8.0              8.0.12-0ubuntu1~24.10.1
   dotnet-runtime-9.0              9.0.1-0ubuntu1~24.10.1
   dotnet-sdk-8.0                  8.0.112-0ubuntu1~24.10.1
   dotnet-sdk-9.0                  9.0.102-0ubuntu1~24.10.1
   dotnet8                         8.0.112-8.0.12-0ubuntu1~24.10.1
   dotnet9                         9.0.102-9.0.1-0ubuntu1~24.10.1

Ubuntu 24.04 LTS
   aspnetcore-runtime-8.0          8.0.12-0ubuntu1~24.04.1
   dotnet-host-8.0                 8.0.12-0ubuntu1~24.04.1
   dotnet-hostfxr-8.0              8.0.12-0ubuntu1~24.04.1
   dotnet-runtime-8.0              8.0.12-0ubuntu1~24.04.1
   dotnet-sdk-8.0                  8.0.112-0ubuntu1~24.04.1
   dotnet8                         8.0.112-8.0.12-0ubuntu1~24.04.1

Ubuntu 22.04 LTS
   aspnetcore-runtime-8.0          8.0.12-0ubuntu1~22.04.1
   dotnet-host-8.0                 8.0.12-0ubuntu1~22.04.1
   dotnet-hostfxr-8.0              8.0.12-0ubuntu1~22.04.1
   dotnet-runtime-8.0              8.0.12-0ubuntu1~22.04.1
   dotnet-sdk-8.0                  8.0.112-0ubuntu1~22.04.1
   dotnet8                         8.0.112-8.0.12-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7210-1
   CVE-2025-21171, CVE-2025-21172, CVE-2025-21173, CVE-2025-21176

Package Information:
https://launchpad.net/ubuntu/+source/dotnet8/8.0.112-8.0.12-0ubuntu1~24.10.1
https://launchpad.net/ubuntu/+source/dotnet9/9.0.102-9.0.1-0ubuntu1~24.10.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.112-8.0.12-0ubuntu1~24.04.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.112-8.0.12-0ubuntu1~22.04.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20250116/ddd9c05c/attachment.sig>


More information about the ubuntu-security-announce mailing list