Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200506-15 ] PeerCast: Format string vulnerability
Date: Sun, 19 Jun 2005 19:27:59
Message-Id: 42B5C390.2040001@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200506-15
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: PeerCast: Format string vulnerability
9 Date: June 19, 2005
10 Bugs: #96199
11 ID: 200506-15
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 PeerCast suffers from a format string vulnerability that could allow
19 arbitrary code execution.
20
21 Background
22 ==========
23
24 PeerCast is a media streaming system based on P2P technology.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 media-sound/peercast < 0.1212 >= 0.1212
33
34 Description
35 ===========
36
37 James Bercegay of the GulfTech Security Research Team discovered that
38 PeerCast insecurely implements formatted printing when receiving a
39 request with a malformed URL.
40
41 Impact
42 ======
43
44 A remote attacker could exploit this vulnerability by sending a request
45 with a specially crafted URL to a PeerCast server to execute arbitrary
46 code.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All PeerCast users should upgrade to the latest available version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=media-sound/peercast-0.1212"
60
61 References
62 ==========
63
64 [ 1 ] GulfTech Advisory
65 http://www.gulftech.org/?node=research&article_id=00077-05282005
66 [ 2 ] PeerCast Announcement
67 http://www.peercast.org/forum/viewtopic.php?p=11596
68
69 Availability
70 ============
71
72 This GLSA and any updates to it are available for viewing at
73 the Gentoo Security Website:
74
75 http://security.gentoo.org/glsa/glsa-200506-15.xml
76
77 Concerns?
78 =========
79
80 Security is a primary focus of Gentoo Linux and ensuring the
81 confidentiality and security of our users machines is of utmost
82 importance to us. Any security concerns should be addressed to
83 security@g.o or alternatively, you may file a bug at
84 http://bugs.gentoo.org.
85
86 License
87 =======
88
89 Copyright 2005 Gentoo Foundation, Inc; referenced text
90 belongs to its owner(s).
91
92 The contents of this document are licensed under the
93 Creative Commons - Attribution / Share Alike license.
94
95 http://creativecommons.org/licenses/by-sa/2.0

Attachments

File name MIME type
signature.asc application/pgp-signature