Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201204-05 ] SWFTools: User-assisted execution of arbitrary code
Date: Tue, 17 Apr 2012 23:44:10
Message-Id: 4F8DFEE5.6020705@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201204-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: SWFTools: User-assisted execution of arbitrary code
9 Date: April 17, 2012
10 Bugs: #332649
11 ID: 201204-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A heap-based buffer overflow in SWFTools could result in the execution
19 of arbitrary code.
20
21 Background
22 ==========
23
24 SWFTools is a collection of SWF manipulation and generation utilities
25 written by Rainer Böhme and Matthias Kramm.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 media-gfx/swftools <= 0.9.1 Vulnerable!
34 -------------------------------------------------------------------
35 NOTE: Certain packages are still vulnerable. Users should migrate
36 to another package if one is available or wait for the
37 existing packages to be marked stable by their
38 architecture maintainers.
39
40 Description
41 ===========
42
43 Integer overflow errors in the "getPNG()" function in png.c and the
44 "jpeg_load()" function in jpeg.c could cause a heap-based buffer
45 overflow.
46
47 Impact
48 ======
49
50 A remote attacker could entice a user to open a specially crafted PNG
51 or JPEG file, possibly resulting in execution of arbitrary code with
52 the privileges of the process, or a Denial of Service condition.
53
54 Workaround
55 ==========
56
57 There is no known workaround at this time.
58
59 Resolution
60 ==========
61
62 Gentoo discontinued support for SWFTools. We recommend that users
63 unmerge swftools:
64
65 # emerge --unmerge "media-gfx/swftools"
66
67 References
68 ==========
69
70 [ 1 ] CVE-2010-1516
71 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1516
72
73 Availability
74 ============
75
76 This GLSA and any updates to it are available for viewing at
77 the Gentoo Security Website:
78
79 http://security.gentoo.org/glsa/glsa-201204-05.xml
80
81 Concerns?
82 =========
83
84 Security is a primary focus of Gentoo Linux and ensuring the
85 confidentiality and security of our users' machines is of utmost
86 importance to us. Any security concerns should be addressed to
87 security@g.o or alternatively, you may file a bug at
88 https://bugs.gentoo.org.
89
90 License
91 =======
92
93 Copyright 2012 Gentoo Foundation, Inc; referenced text
94 belongs to its owner(s).
95
96 The contents of this document are licensed under the
97 Creative Commons - Attribution / Share Alike license.
98
99 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature