Gentoo Archives: gentoo-announce

From: Chris Reffett <creffett@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201312-09 ] cabextract: Multiple vulnerabilities
Date: Sat, 14 Dec 2013 22:53:19
Message-Id: 52ACE0C6.5000803@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201312-09
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: cabextract: Multiple vulnerabilities
9 Date: December 14, 2013
10 Bugs: #329891
11 ID: 201312-09
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in cabextract, allowing remote
19 attackers to execute arbitrary code or cause a Denial of Service
20 condition.
21
22 Background
23 ==========
24
25 cabextract is free software for extracting Microsoft cabinet files.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 app-arch/cabextract < 1.3 >= 1.3
34
35 Description
36 ===========
37
38 Multiple vulnerabilities have been discovered in cabextract. Please
39 review the CVE identifiers referenced below for details.
40
41 Impact
42 ======
43
44 A remote attacker could entice a user to open a specially-crafted
45 archive in a .cab file, related to the libmspack library, potentially
46 resulting in arbitrary code execution or a Denial of Service condition.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All cabextract users should upgrade to the latest version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=app-arch/cabextract-1.3"
60
61 NOTE: This is a legacy GLSA. Updates for all affected architectures are
62 available since August 03, 2010. It is likely that your system is
63 already no longer affected by this issue.
64
65 References
66 ==========
67
68 [ 1 ] CVE-2010-2800
69 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2800
70 [ 2 ] CVE-2010-2801
71 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2801
72
73 Availability
74 ============
75
76 This GLSA and any updates to it are available for viewing at
77 the Gentoo Security Website:
78
79 http://security.gentoo.org/glsa/glsa-201312-09.xml
80
81 Concerns?
82 =========
83
84 Security is a primary focus of Gentoo Linux and ensuring the
85 confidentiality and security of our users' machines is of utmost
86 importance to us. Any security concerns should be addressed to
87 security@g.o or alternatively, you may file a bug at
88 https://bugs.gentoo.org.
89
90 License
91 =======
92
93 Copyright 2013 Gentoo Foundation, Inc; referenced text
94 belongs to its owner(s).
95
96 The contents of this document are licensed under the
97 Creative Commons - Attribution / Share Alike license.
98
99 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature