CVE-2017-15288

The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.

References

Affected packages

Debian:11 / scala

Package

Name: scala
Purl: pkg:deb/debian/scala?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.12-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / scala

Package

Name: scala
Purl: pkg:deb/debian/scala?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.12-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / scala

Package

Name: scala
Purl: pkg:deb/debian/scala?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.12-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/scala/scala

Affected ranges

Type: GIT
Repo: https://github.com/scala/scala
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

89e57bc7ad4a1809864b637617456736fd7b8101

Affected versions

v1.*

v1.0.0-b5

v1.0.0-b6

v1.1.0-b0

v1.4.0+3

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.10.0

v2.10.0-M1

v2.10.0-M2

v2.10.0-M3

v2.10.0-M4

v2.10.0-M5

v2.10.0-M6

v2.10.0-M7

v2.10.0-RC1

v2.10.0-RC2

v2.10.0-RC3

v2.10.0-RC4

v2.10.0-RC5

v2.10.1

v2.10.1-RC1

v2.10.1-RC2

v2.10.1-RC3

v2.10.2

v2.10.2-RC1

v2.10.2-RC2

v2.10.3

v2.10.3-RC1

v2.10.3-RC2

v2.10.3-RC3

v2.10.4

v2.10.4-RC1

v2.10.4-RC2

v2.10.4-RC3

v2.10.5

v2.10.6

v2.2.0

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.7-diverged

v2.8-diverged

v2.9-diverged