Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201401-19 ] GMime: Arbitrary code execution
Date: Tue, 21 Jan 2014 19:29:40
Message-Id: 52DEC9B3.806@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201401-19
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: GMime: Arbitrary code execution
9 Date: January 21, 2014
10 Bugs: #308051
11 ID: 201401-19
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A buffer overflow error in GMime might allow remote attackers to
19 execute arbitrary code or cause a Denial of Service condition.
20
21 Background
22 ==========
23
24 GMime is a C/C++ library which may be used for the creation and parsing
25 of messages using the Multipurpose Internet Mail Extension (MIME).
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 dev-libs/gmime < 2.4.15 >= 2.4.15
34 *>= 2.4.17
35 *>= 2.2.26
36
37 Description
38 ===========
39
40 GMime contains a buffer overflow flaw in the GMIME_UUENCODE_LEN macro
41 in gmime/gmime-encodings.h.
42
43 Impact
44 ======
45
46 A context-dependent attacker could possibly execute arbitrary code or
47 cause a Denial of Service condition.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 GMime 2.4.x users on the PPC64 architecture should upgrade to the
58 latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.4.17"
62
63 GMime 2.4.x users on other architectures should upgrade to the latest
64 version:
65
66 # emerge --sync
67 # emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.4.15"
68
69 GMime 2.2.x users should upgrade to the latest version:
70
71 # emerge --sync
72 # emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.2.26"
73
74 Packages which depend on this library may need to be recompiled. Tools
75 such as revdep-rebuild may assist in identifying some of these
76 packages.
77
78 References
79 ==========
80
81 [ 1 ] CVE-2010-0409
82 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0409
83
84 Availability
85 ============
86
87 This GLSA and any updates to it are available for viewing at
88 the Gentoo Security Website:
89
90 http://security.gentoo.org/glsa/glsa-201401-19.xml
91
92 Concerns?
93 =========
94
95 Security is a primary focus of Gentoo Linux and ensuring the
96 confidentiality and security of our users' machines is of utmost
97 importance to us. Any security concerns should be addressed to
98 security@g.o or alternatively, you may file a bug at
99 https://bugs.gentoo.org.
100
101 License
102 =======
103
104 Copyright 2014 Gentoo Foundation, Inc; referenced text
105 belongs to its owner(s).
106
107 The contents of this document are licensed under the
108 Creative Commons - Attribution / Share Alike license.
109
110 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature