UBUNTU-CVE-2020-25860

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2020-25860

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-25860.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2020-25860

Upstream

CVE-2020-25860

Published

2020-12-21T18:15:00Z

Modified

2025-10-24T04:48:45Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.

References

Affected packages

Ubuntu:20.04:LTS / rauc

Package

Name: rauc
Purl: pkg:deb/ubuntu/rauc@1.2-1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1-2

1.2-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "rauc",
            "binary_version": "1.2-1"
        },
        {
            "binary_name": "rauc-service",
            "binary_version": "1.2-1"
        }
    ]
}

Ubuntu:22.04:LTS / rauc

Package

Name: rauc
Purl: pkg:deb/ubuntu/rauc@1.6-1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.1-1

1.5.1-1build1

1.6-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "rauc",
            "binary_version": "1.6-1"
        },
        {
            "binary_name": "rauc-service",
            "binary_version": "1.6-1"
        }
    ]
}