Gentoo Archives: gentoo-announce

From: Tobias Heinlein <keytoaster@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201006-07 ] SILC: Multiple vulnerabilities
Date: Tue, 01 Jun 2010 17:19:29
Message-Id: 4C052A90.3000206@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201006-07
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: SILC: Multiple vulnerabilities
9 Date: June 01, 2010
10 Bugs: #284561
11 ID: 201006-07
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities were discovered in SILC Toolkit and SILC
19 Client, the worst of which allowing for execution of arbitrary code.
20
21 Background
22 ==========
23
24 SILC (Secure Internet Live Conferencing protocol) Toolkit is a software
25 development kit for use in clients, and SILC Client is an IRSSI-based
26 text client.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 net-im/silc-toolkit < 1.1.10 >= 1.1.10
35 2 net-im/silc-client < 1.1.8 >= 1.1.8
36 -------------------------------------------------------------------
37 2 affected packages on all of their supported architectures.
38 -------------------------------------------------------------------
39
40 Description
41 ===========
42
43 Multiple vulnerabilities were discovered in SILC Toolkit and SILC
44 Client. For further information please consult the CVE entries
45 referenced below.
46
47 Impact
48 ======
49
50 A remote attacker could overwrite stack locations and possibly execute
51 arbitrary code via a crafted OID value, Content-Length header or format
52 string specifiers in a nickname field or channel name.
53
54 Workaround
55 ==========
56
57 There is no known workaround at this time.
58
59 Resolution
60 ==========
61
62 All SILC Toolkit users should upgrade to the latest version:
63
64 # emerge --sync
65 # emerge --ask --oneshot --verbose ">=net-im/silc-toolkit-1.1.10"
66
67 All SILC Client users should upgrade to the latest version:
68
69 # emerge --sync
70 # emerge --ask --oneshot --verbose ">=net-im/silc-client-1.1.8"
71
72 References
73 ==========
74
75 [ 1 ] CVE-2008-7159
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7159
77 [ 2 ] CVE-2008-7160
78 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7160
79 [ 3 ] CVE-2009-3051
80 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3051
81 [ 4 ] CVE-2009-3163
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3163
83
84 Availability
85 ============
86
87 This GLSA and any updates to it are available for viewing at
88 the Gentoo Security Website:
89
90 http://security.gentoo.org/glsa/glsa-201006-07.xml
91
92 Concerns?
93 =========
94
95 Security is a primary focus of Gentoo Linux and ensuring the
96 confidentiality and security of our users machines is of utmost
97 importance to us. Any security concerns should be addressed to
98 security@g.o or alternatively, you may file a bug at
99 https://bugs.gentoo.org.
100
101 License
102 =======
103
104 Copyright 2010 Gentoo Foundation, Inc; referenced text
105 belongs to its owner(s).
106
107 The contents of this document are licensed under the
108 Creative Commons - Attribution / Share Alike license.
109
110 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature