[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200806-05.xml - gentoo-commits

From:	"Pierre-Yves Rofes (py)" <py@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200806-05.xml
Date:	Mon, 16 Jun 2008 20:39:32
Message-Id:	`E1K8LU5-00049l-H8@stork.gentoo.org`

1

py          08/06/16 20:39:25

2

3

  Added:                glsa-200806-05.xml

4

  Log:

5

  GLSA 200806-05

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-200806-05.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200806-05.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200806-05.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-200806-05.xml

14

===================================================================

15

<?xml version="1.0" encoding="utf-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

20

<glsa id="200806-05">

21

  <title>cbrPager: User-assisted execution of arbitrary code</title>

22

  <synopsis>

23

    Insecure filename usage in cbrPager may allow for the remote execution of

24

    arbitrary code.

25

  </synopsis>

26

  <product type="ebuild">cbrpager</product>

27

  <announced>June 16, 2008</announced>

28

  <revised>June 16, 2008: 01</revised>

29

  <bug>223657</bug>

30

  <access>remote</access>

31

  <affected>

32

    <package name="app-misc/cbrpager" auto="yes" arch="*">

33

      <unaffected range="ge">0.9.17</unaffected>

34

      <vulnerable range="lt">0.9.17</vulnerable>

35

    </package>

36

  </affected>

37

  <background>

38

<p>

39

    cbrPager is a comic book pager.

40

    </p>

41

  </background>

42

  <description>

43

<p>

44

    Mamoru Tasaka discovered that filenames of the image archives are not

45

    properly sanitized before being passed to decompression utilities like

46

    unrar and unzip, which use the system() libc library call.

47

    </p>

48

  </description>

49

  <impact type="normal">

50

<p>

51

    A remote attacker could entice a user to open an archive with a

52

    specially crafted filename, resulting in arbitrary code execution with

53

    the privileges of the user running the application.

54

    </p>

55

  </impact>

56

  <workaround>

57

<p>

58

    There is no known workaround at this time.

59

    </p>

60

  </workaround>

61

  <resolution>

62

<p>

63

    All cbrPager users should upgrade to the latest version:

64

    </p>

65

    <code>

66

    # emerge --sync

67

    # emerge --ask --oneshot --verbose &quot;&gt;=app-misc/cbrpager-0.9.17&quot;</code>

68

  </resolution>

69

  <references>

70

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2575">CVE-2008-2575</uri>

71

  </references>

72

  <metadata tag="requester" timestamp="Wed, 28 May 2008 17:48:23 +0000">

73

    keytoaster

74

  </metadata>

75

  <metadata tag="bugReady" timestamp="Tue, 03 Jun 2008 15:18:59 +0000">

76

    vorlon

77

  </metadata>

78

  <metadata tag="submitter" timestamp="Sat, 14 Jun 2008 21:12:52 +0000">

79

p-y

80

  </metadata>

81

</glsa>

--

86

gentoo-commits@l.g.o mailing list

1	py 08/06/16 20:39:25
2
3	Added: glsa-200806-05.xml
4	Log:
5	GLSA 200806-05
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-200806-05.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200806-05.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200806-05.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-200806-05.xml
14	===================================================================
15	<?xml version="1.0" encoding="utf-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20	<glsa id="200806-05">
21	<title>cbrPager: User-assisted execution of arbitrary code</title>
22	<synopsis>
23	Insecure filename usage in cbrPager may allow for the remote execution of
24	arbitrary code.
25	</synopsis>
26	<product type="ebuild">cbrpager</product>
27	<announced>June 16, 2008</announced>
28	<revised>June 16, 2008: 01</revised>
29	<bug>223657</bug>
30	<access>remote</access>
31	<affected>
32	<package name="app-misc/cbrpager" auto="yes" arch="*">
33	<unaffected range="ge">0.9.17</unaffected>
34	<vulnerable range="lt">0.9.17</vulnerable>
35	</package>
36	</affected>
37	<background>
38	<p>
39	cbrPager is a comic book pager.
40	</p>
41	</background>
42	<description>
43	<p>
44	Mamoru Tasaka discovered that filenames of the image archives are not
45	properly sanitized before being passed to decompression utilities like
46	unrar and unzip, which use the system() libc library call.
47	</p>
48	</description>
49	<impact type="normal">
50	<p>
51	A remote attacker could entice a user to open an archive with a
52	specially crafted filename, resulting in arbitrary code execution with
53	the privileges of the user running the application.
54	</p>
55	</impact>
56	<workaround>
57	<p>
58	There is no known workaround at this time.
59	</p>
60	</workaround>
61	<resolution>
62	<p>
63	All cbrPager users should upgrade to the latest version:
64	</p>
65	<code>
66	# emerge --sync
67	# emerge --ask --oneshot --verbose ">=app-misc/cbrpager-0.9.17"</code>
68	</resolution>
69	<references>
70	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2575">CVE-2008-2575</uri>
71	</references>
72	<metadata tag="requester" timestamp="Wed, 28 May 2008 17:48:23 +0000">
73	keytoaster
74	</metadata>
75	<metadata tag="bugReady" timestamp="Tue, 03 Jun 2008 15:18:59 +0000">
76	vorlon
77	</metadata>
78	<metadata tag="submitter" timestamp="Sat, 14 Jun 2008 21:12:52 +0000">
79	p-y
80	</metadata>
81	</glsa>
82
83
84
85	--
86	gentoo-commits@l.g.o mailing list

Gentoo Archives: gentoo-commits