GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun May 24, 2009 1:26 pm Post subject: [ GLSA 200905-02 ] Cscope: User-assisted execution of arbitr |
|
|
Gentoo Linux Security Advisory
Title: Cscope: User-assisted execution of arbitrary code (GLSA 200905-02)
Severity: normal
Exploitable: remote
Date: May 24, 2009
Bug(s): #263023
ID: 200905-02
Synopsis
Multiple vulnerabilities in Cscope might allow for the remote execution of
arbitrary code.
Background
Cscope is a developer's tool for browsing source code.
Affected Packages
Package: dev-util/cscope
Vulnerable: < 15.7a
Unaffected: >= 15.7a
Architectures: All supported architectures
Description
James Peach of Apple discovered a stack-based buffer overflow in
cscope's handling of long file system paths (CVE-2009-0148). Multiple
stack-based buffer overflows were reported in the putstring function
when processing an overly long function name or symbol in a source code
file (CVE-2009-1577).
Impact
A remote attacker could entice a user to open a specially crafted
source file, possibly resulting in the remote execution of arbitrary
code with the privileges of the user running the application.
Workaround
There is no known workaround at this time.
Resolution
All Cscope users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/cscope-15.7a" |
References
CVE-2009-0148
CVE-2009-1577
Last edited by GLSA on Mon Jun 23, 2014 4:28 am; edited 2 times in total |
|