PublicDateAtUSN: 2021-11-16 18:00:00 UTC
Candidate: CVE-2021-3939
CRD: 2021-11-16 18:00:00 UTC
PublicDate: 2021-11-17 04:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3939
 https://ubuntu.com/security/notices/USN-5149-1
Description:
 Ubuntu-specific modifications to accountsservice (in patch file
 debian/patches/0010-set-language.patch) caused the fallback_locale
 variable, pointing to static storage, to be freed, in the
 user_change_language_authorized_cb function. This is reachable via the
 SetLanguage dbus function. This is fixed in versions
 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1.
Ubuntu-Description: 
Notes: 
Mitigation: 
Bugs: 
 https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1950149
Priority: high
Discovered-by: Kevin Backhouse
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_accountsservice:
upstream_accountsservice: needs-triage
trusty/esm_accountsservice: not-affected
esm-infra/xenial_accountsservice: not-affected
bionic_accountsservice: not-affected (0.6.45-1ubuntu1.3)
focal_accountsservice: released (0.6.55-0ubuntu12~20.04.5)
hirsute_accountsservice: released (0.6.55-0ubuntu13.3)
impish_accountsservice: released (0.6.55-0ubuntu14.1)
jammy_accountsservice: released (0.6.55-3ubuntu2)
devel_accountsservice: released (0.6.55-3ubuntu2)