GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Jul 12, 2017 10:26 am Post subject: [ GLSA 201707-08 ] feh |
|
|
Gentoo Linux Security Advisory
Title: feh: Arbitrary remote code execution (GLSA 201707-08)
Severity: normal
Exploitable: remote
Date: 2017-07-08
Updated: 2017-08-06
Bug(s): #616470
ID: 201707-08
Synopsis
A vulnerability in feh might allow remote attackers to execute
arbitrary code.
Background
feh is an X11 image viewer aimed mostly at console users.
Affected Packages
Package: media-gfx/feh
Vulnerable: < 2.18.3
Unaffected: >= 2.18.3
Architectures: All supported architectures
Description
Tobias Stoeckmann discovered it was possible to trigger an
out-of-boundary heap write with the image viewer feh while receiving an
IPC message.
Impact
A remote attacker, pretending to be the E17 window manager, could
possibly trigger an out-of-boundary heap write in feh while receiving an
IPC message. This could result in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All feh users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/feh-2.18.3"
|
References
CVE-2017-7875
Last edited by GLSA on Fri Sep 29, 2017 4:16 am; edited 2 times in total |
|