Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200803-08 ] Win32 binary codecs: Multiple vulnerabilities
Date: Tue, 04 Mar 2008 22:07:55
Message-Id: 47CDCF80.700@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200803-08
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Normal
11 Title: Win32 binary codecs: Multiple vulnerabilities
12 Date: March 04, 2008
13 Bugs: #150288
14 ID: 200803-08
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 Multiple vulnerabilities in the Win32 codecs for Linux may result in
22 the remote execution of arbitrary code.
23
24 Background
25 ==========
26
27 Win32 binary codecs provide support for video and audio playback.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 media-libs/win32codecs < 20071007-r2 >= 20071007-r2
36
37 Description
38 ===========
39
40 Multiple buffer overflow, heap overflow, and integer overflow
41 vulnerabilities were discovered in the Quicktime plugin when processing
42 MOV, FLC, SGI, H.264 and FPX files.
43
44 Impact
45 ======
46
47 A remote attacker could entice a user to open a specially crafted video
48 file, possibly resulting in the remote execution of arbitrary code with
49 the privileges of the user running the application.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All Win32 binary codecs users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose
63 ">=media-libs/win32codecs-20071007-r2"
64
65 Note: Since no updated binary versions have been released, the
66 Quicktime libraries have been removed from the package. Please use the
67 free alternative Quicktime implementations within VLC, MPlayer or Xine
68 for playback.
69
70 References
71 ==========
72
73 [ 1 ] CVE-2006-4382
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4382
75 [ 2 ] CVE-2006-4384
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4384
77 [ 3 ] CVE-2006-4385
78 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4385
79 [ 4 ] CVE-2006-4386
80 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4386
81 [ 5 ] CVE-2006-4388
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4388
83 [ 6 ] CVE-2006-4389
84 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4389
85 [ 7 ] CVE-2007-4674
86 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4674
87 [ 8 ] CVE-2007-6166
88 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6166
89
90 Availability
91 ============
92
93 This GLSA and any updates to it are available for viewing at
94 the Gentoo Security Website:
95
96 http://security.gentoo.org/glsa/glsa-200803-08.xml
97
98 Concerns?
99 =========
100
101 Security is a primary focus of Gentoo Linux and ensuring the
102 confidentiality and security of our users machines is of utmost
103 importance to us. Any security concerns should be addressed to
104 security@g.o or alternatively, you may file a bug at
105 http://bugs.gentoo.org.
106
107 License
108 =======
109
110 Copyright 2008 Gentoo Foundation, Inc; referenced text
111 belongs to its owner(s).
112
113 The contents of this document are licensed under the
114 Creative Commons - Attribution / Share Alike license.
115
116 http://creativecommons.org/licenses/by-sa/2.5
117 -----BEGIN PGP SIGNATURE-----
118 Version: GnuPG v2.0.7 (GNU/Linux)
119 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
120
121 iD8DBQFHzc+AuhJ+ozIKI5gRAkBQAJ45BLSUrSDb21Ro/ZHEimwyzBpqqQCcD15e
122 VpxOGmsa3V34PILWdYXqoXE=
123 =70De
124 -----END PGP SIGNATURE-----
125 --
126 gentoo-announce@l.g.o mailing list