Gentoo Archives: gentoo-announce

From: Raphael Marichez <falco@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200709-06 ] flac123: Buffer overflow
Date: Fri, 14 Sep 2007 23:48:28
Message-Id: 20070914214448.GI5635@falco.falcal.net
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200709-06
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: flac123: Buffer overflow
9 Date: September 14, 2007
10 Bugs: #186220
11 ID: 200709-06
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 flac123 is affected by a buffer overflow vulnerability, which could
19 allow for the execution of arbitrary code.
20
21 Background
22 ==========
23
24 flac123 is a command-line application for playing FLAC audio files.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 media-sound/flac123 < 0.0.11 >= 0.0.11
33
34 Description
35 ===========
36
37 A possible buffer overflow vulnerability has been reported in the
38 local__vcentry_parse_value() function in vorbiscomment.c.
39
40 Impact
41 ======
42
43 An attacker could entice a user to play a specially crafted audio file,
44 which could lead to the execution of arbitrary code with the privileges
45 of the user running the application.
46
47 Workaround
48 ==========
49
50 There is no known workaround at this time.
51
52 Resolution
53 ==========
54
55 All flac123 users should upgrade to the latest version:
56
57 # emerge --sync
58 # emerge --ask --oneshot --verbose ">=media-sound/flac123-0.0.11"
59
60 References
61 ==========
62
63 [ 1 ] CVE-2007-3507
64 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3507
65
66 Availability
67 ============
68
69 This GLSA and any updates to it are available for viewing at
70 the Gentoo Security Website:
71
72 http://security.gentoo.org/glsa/glsa-200709-06.xml
73
74 Concerns?
75 =========
76
77 Security is a primary focus of Gentoo Linux and ensuring the
78 confidentiality and security of our users machines is of utmost
79 importance to us. Any security concerns should be addressed to
80 security@g.o or alternatively, you may file a bug at
81 http://bugs.gentoo.org.
82
83 License
84 =======
85
86 Copyright 2007 Gentoo Foundation, Inc; referenced text
87 belongs to its owner(s).
88
89 The contents of this document are licensed under the
90 Creative Commons - Attribution / Share Alike license.
91
92 http://creativecommons.org/licenses/by-sa/2.5