Gentoo Archives: gentoo-announce

From: Robert Buchholz <rbu@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200904-02 ] GLib: Execution of arbitrary code
Date: Fri, 03 Apr 2009 13:51:20
Message-Id: 200904031547.59921.rbu@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200904-02
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: GLib: Execution of arbitrary code
9 Date: April 03, 2009
10 Bugs: #249214
11 ID: 200904-02
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple integer overflows might allow for the execution of arbitrary
19 code when performing base64 conversion.
20
21 Background
22 ==========
23
24 The GLib is a library of C routines that is used by a multitude of
25 programs.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 dev-libs/glib < 2.18.4-r1 >= 2.18.4-r1
34 *>= 2.16.6-r1
35
36 Description
37 ===========
38
39 Diego E. Pettenò reported multiple integer overflows in glib/gbase64.c
40 when converting a long string from or to a base64 representation.
41
42 Impact
43 ======
44
45 A remote attacker could entice a user or automated system to perform a
46 base64 conversion via an application using GLib, possibly resulting in
47 the execution of arbitrary code.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All GLib 2.18 users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.18.4-r1"
61
62 All GLib 2.16 users should upgrade to the latest version:
63
64 # emerge --sync
65 # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.16.6-r1"
66
67 References
68 ==========
69
70 [ 1 ] CVE-2008-4316
71 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316
72
73 Availability
74 ============
75
76 This GLSA and any updates to it are available for viewing at
77 the Gentoo Security Website:
78
79 http://security.gentoo.org/glsa/glsa-200904-02.xml
80
81 Concerns?
82 =========
83
84 Security is a primary focus of Gentoo Linux and ensuring the
85 confidentiality and security of our users machines is of utmost
86 importance to us. Any security concerns should be addressed to
87 security@g.o or alternatively, you may file a bug at
88 http://bugs.gentoo.org.
89
90 License
91 =======
92
93 Copyright 2009 Gentoo Foundation, Inc; referenced text
94 belongs to its owner(s).
95
96 The contents of this document are licensed under the
97 Creative Commons - Attribution / Share Alike license.
98
99 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature