Gentoo Archives: gentoo-announce

From: Raphael Marichez <falco@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200608-27 ] Motor: Execution of arbitrary code
Date: Thu, 07 Sep 2006 20:58:46
Message-Id: 200608291703.14750@msgid.falco.bz
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200608-27
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Motor: Execution of arbitrary code
9 Date: August 29, 2006
10 Bugs: #135020
11 ID: 200608-27
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Motor uses a vulnerable ktools library, which could lead to the
19 execution of arbitrary code.
20
21 Background
22 ==========
23
24 Motor is a text mode based programming environment for Linux, with a
25 syntax highlighting feature, project manager, makefile generator, gcc
26 and gdb front-end, and CVS integration.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-util/motor < 3.4.0-r1 *>= 3.3.0-r1
35 >= 3.4.0-r1
36
37 Description
38 ===========
39
40 In November 2005, Zone-H Research reported a boundary error in the
41 ktools library in the VGETSTRING() macro of kkstrtext.h, which may
42 cause a buffer overflow via an overly long input string.
43
44 Impact
45 ======
46
47 A remote attacker could entice a user to use a malicious file or input,
48 which could lead to the crash of Motor and possibly the execution of
49 arbitrary code.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All Motor 3.3.x users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=dev-util/motor-3.3.0-r1"
63
64 All motor 3.4.x users should upgrade to the latest version:
65
66 # emerge --sync
67 # emerge --ask --oneshot --verbose ">=dev-util/motor-3.4.0-r1"
68
69 References
70 ==========
71
72 [ 1 ] CVE-2005-3863
73 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3863
74
75 Availability
76 ============
77
78 This GLSA and any updates to it are available for viewing at
79 the Gentoo Security Website:
80
81 http://security.gentoo.org/glsa/glsa-200608-27.xml
82
83 Concerns?
84 =========
85
86 Security is a primary focus of Gentoo Linux and ensuring the
87 confidentiality and security of our users machines is of utmost
88 importance to us. Any security concerns should be addressed to
89 security@g.o or alternatively, you may file a bug at
90 http://bugs.gentoo.org.
91
92 License
93 =======
94
95 Copyright 2006 Gentoo Foundation, Inc; referenced text
96 belongs to its owner(s).
97
98 The contents of this document are licensed under the
99 Creative Commons - Attribution / Share Alike license.
100
101 http://creativecommons.org/licenses/by-sa/2.5