PublicDateAtUSN: 2017-06-19
Candidate: CVE-2017-1000376
PublicDate: 2017-06-19 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000376
 https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
 https://access.redhat.com/security/cve/CVE-2017-1000376
 https://ubuntu.com/security/notices/USN-3454-1
 https://ubuntu.com/security/notices/USN-3454-2
Description:
 libffi requests an executable stack allowing attackers to more easily
 trigger arbitrary code execution by overwriting the stack. Please note that
 libffi is used by a number of other libraries. It was previously stated
 that this affects libffi version 3.2.1 but this appears to be incorrect.
 libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and
 upstream is believed to have fixed this issue in version 3.1.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Qualys
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.0 HIGH]

Patches_libffi:
 upstream: https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d
upstream_libffi: released (3.2.1-4)
precise/esm_libffi: released (3.0.11~rc1-5ubuntu0.1)
trusty_libffi: released (3.1~rc1+r3.0.13-12ubuntu0.2)
trusty/esm_libffi: released (3.1~rc1+r3.0.13-12ubuntu0.2)
vivid/ubuntu-core_libffi: ignored (reached end-of-life)
xenial_libffi: not-affected
esm-infra/xenial_libffi: not-affected
yakkety_libffi: not-affected
zesty_libffi: not-affected
artful_libffi: not-affected (3.2.1-6)
devel_libffi: not-affected (3.2.1-6)