GLSA
Bodhisattva
Joined: 25 Feb 2003
Posts: 3829
Location: Essen, Germany
|
 Posted: Sun Nov 07, 2004 8:54 pm Post subject: [ GLSA 200411-14 ] Kaffeine, gxine: Remotely exploitable buf |
 |
|
Gentoo Linux Security Advisory
Title: Kaffeine, gxine: Remotely exploitable buffer overflow (GLSA 200411-14)
Severity: normal
Exploitable: remote
Date: November 07, 2004
Updated: May 22, 2006
Bug(s): #69663, #70055
ID: 200411-14
Synopsis
Kaffeine and gxine both contain a buffer overflow that can be exploited when accessing content from a malicious HTTP server with specially crafted headers.
Background
Kaffeine and gxine are graphical front-ends for xine-lib multimedia library.
Affected Packages
Package: media-video/kaffeine
Vulnerable: < 0.5_rc1-r1
Unaffected: >= 0.5_rc1-r1
Unaffected: >= 0.4.3b-r1 < 0.4.4
Architectures: All supported architectures
Package: media-video/gxine
Vulnerable: < 0.3.3-r1
Unaffected: >= 0.3.3-r1
Architectures: All supported architectures
Description
KF of Secure Network Operations has discovered an overflow that occurs during the Content-Type header processing of Kaffeine. The vulnerable code in Kaffeine is reused from gxine, making gxine vulnerable as well.
Impact
An attacker could create a specially-crafted Content-type header from a malicious HTTP server, and crash a user's instance of Kaffeine or gxine, potentially allowing the execution of arbitrary code.
Workaround
There is no known workaround at this time.
Resolution
All Kaffeine users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/kaffeine-0.4.3b-r1" |
All gxine users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/gxine-0.3.3-r1" |
References
SecurityTracker Advisory
gxine Bug Report
CVE-2004-1034
Last edited by GLSA on Tue May 23, 2006 4:18 am; edited 2 times in total |
|
News & Announcements
