Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200505-19 ] gxine: Format string vulnerability
Date: Thu, 26 May 2005 11:17:46
Message-Id: 4295B057.0@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200505-19
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: gxine: Format string vulnerability
9 Date: May 26, 2005
10 Bugs: #93532
11 ID: 200505-19
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A format string vulnerability in gxine could allow a remote attacker to
19 execute arbitrary code.
20
21 Background
22 ==========
23
24 gxine is a GTK+ and xine-lib based media player.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 media-video/gxine < 0.4.4 *>= 0.3.3-r2
33 *>= 0.4.1-r1
34 >= 0.4.4
35
36 Description
37 ===========
38
39 Exworm discovered that gxine insecurely implements formatted printing
40 in the hostname decoding function.
41
42 Impact
43 ======
44
45 A remote attacker could entice a user to open a carefully crafted file
46 with gxine, possibly leading to the execution of arbitrary code.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All gxine users should upgrade to the latest available version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose media-video/gxine
60
61 References
62 ==========
63
64 [ 1 ] CAN-2005-1692
65 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1692
66 [ 2 ] Bugtraq ID 13707
67 http://www.securityfocus.com/bid/13707
68 [ 3 ] Original Advisory
69 http://www.0xbadexworm.org/adv/gxinefmt.txt
70
71 Availability
72 ============
73
74 This GLSA and any updates to it are available for viewing at
75 the Gentoo Security Website:
76
77 http://security.gentoo.org/glsa/glsa-200505-19.xml
78
79 Concerns?
80 =========
81
82 Security is a primary focus of Gentoo Linux and ensuring the
83 confidentiality and security of our users machines is of utmost
84 importance to us. Any security concerns should be addressed to
85 security@g.o or alternatively, you may file a bug at
86 http://bugs.gentoo.org.
87
88 License
89 =======
90
91 Copyright 2005 Gentoo Foundation, Inc; referenced text
92 belongs to its owner(s).
93
94 The contents of this document are licensed under the
95 Creative Commons - Attribution / Share Alike license.
96
97 http://creativecommons.org/licenses/by-sa/2.0

Attachments

File name MIME type
signature.asc application/pgp-signature