GLSA Bodhisattva
Joined: 13 Jun 2003 Posts: 4087 Location: Dresden, Germany
|
Posted: Tue Apr 27, 2004 7:33 am Post subject: [ GLSA 200404-19 ] Buffer overflows and format string vulner |
|
|
Gentoo Linux Security Advisory
Title: Buffer overflows and format string vulnerabilities in LCDproc (GLSA 200404-19)
Severity: normal
Exploitable: remote
Date: April 27, 2004
Bug(s): #47340
ID: 200404-19
Synopsis
Multiple remote vulnerabilities have been found in the LCDd server,
allowing execution of arbitrary code with the rights of the LCDd user.
Background
LCDproc is a program that displays various bits of real-time system
information on an LCD. It makes use of a local server (LCDd) to collect
information to display on the LCD.
Affected Packages
Package: app-misc/lcdproc
Vulnerable: <= 0.4.4-r1
Unaffected: >= 0.4.5
Architectures: All supported architectures
Description
Due to insufficient checking of client-supplied data, the LCDd server is
susceptible to two buffer overflows and one string buffer vulnerability. If
the server is configured to listen on all network interfaces (see the Bind
parameter in LCDproc configuration), these vulnerabilities can be triggered
remotely.
Impact
These vulnerabilities allow an attacker to execute code with the rights of
the user running the LCDproc server. By default, this is the "nobody" user.
Workaround
A workaround is not currently known for this issue. All users are advised
to upgrade to the latest version of the affected package.
Resolution
LCDproc users should upgrade to version 0.4.5 or later:
Code: | # emerge sync
# emerge -pv ">=app-misc/lcdproc-0.4.5"
# emerge ">=app-misc/lcdproc-0.4.5" |
References
LCDproc advisory
Last edited by GLSA on Sun Aug 12, 2012 4:16 am; edited 5 times in total |
|