Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201009-01 ] wxGTK: User-assisted execution of arbitrary code
Date: Thu, 02 Sep 2010 22:11:22
Message-Id: 20100902231949.45dde925@mail.a3li.li
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201009-01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: wxGTK: User-assisted execution of arbitrary code
9 Date: September 02, 2010
10 Bugs: #277722
11 ID: 201009-01
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 An integer overflow vulnerability in wxGTK might enable remote
19 attackers to cause the execution of arbitrary code.
20
21 Background
22 ==========
23
24 wxGTK is the GTK+ version of wxWidgets, a cross-platform C++ GUI
25 toolkit.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 x11-libs/wxGTK < 2.8.10.1-r1 *>= 2.6.4.0-r5
34 >= 2.8.10.1-r1
35
36 Description
37 ===========
38
39 wxGTK is prone to an integer overflow error in the wxImage::Create()
40 function in src/common/image.cpp, possibly leading to a heap-based
41 buffer overflow.
42
43 Impact
44 ======
45
46 A remote attacker might entice a user to open a specially crafted JPEG
47 file using a program that uses wxGTK, possibly resulting in the remote
48 execution of arbitrary code with the privileges of the user running the
49 application.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All wxGTK 2.6 users should upgrade to an updated version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=x11-libs/wxGTK-2.6.4.0-r5"
63
64 All wxGTK 2.8 users should upgrade to an updated version:
65
66 # emerge --sync
67 # emerge --ask --oneshot --verbose ">=x11-libs/wxGTK-2.8.10.1-r1"
68
69 NOTE: This is a legacy GLSA. Updates for all affected architectures are
70 available since August 9, 2009. It is likely that your system is
71 already no longer affected by this issue.
72
73 References
74 ==========
75
76 [ 1 ] CVE-2009-2369
77 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2369
78
79 Availability
80 ============
81
82 This GLSA and any updates to it are available for viewing at
83 the Gentoo Security Website:
84
85 http://security.gentoo.org/glsa/glsa-201009-01.xml
86
87 Concerns?
88 =========
89
90 Security is a primary focus of Gentoo Linux and ensuring the
91 confidentiality and security of our users machines is of utmost
92 importance to us. Any security concerns should be addressed to
93 security@g.o or alternatively, you may file a bug at
94 https://bugs.gentoo.org.
95
96 License
97 =======
98
99 Copyright 2010 Gentoo Foundation, Inc; referenced text
100 belongs to its owner(s).
101
102 The contents of this document are licensed under the
103 Creative Commons - Attribution / Share Alike license.
104
105 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature