GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sat Oct 26, 2013 8:26 pm Post subject: [ GLSA 201310-16 ] TPTEST: Arbitrary code execution |
|
|
Gentoo Linux Security Advisory
Title: TPTEST: Arbitrary code execution (GLSA 201310-16)
Severity: normal
Exploitable: remote
Date: October 26, 2013
Bug(s): #261191
ID: 201310-16
Synopsis
Two buffer overflow vulnerabilities in TPTEST may allow remote
attackers to execute arbitrary code or cause Denial of Service.
Background
TPTEST is a tool to measure the speed of a user’s Internet connection.
Affected Packages
Package: net-analyzer/tptest
Vulnerable: < 3.1.7-r2
Unaffected: >= 3.1.7-r2
Architectures: All supported architectures
Description
The GetStatsFromLine() function in TPTEST is vulnerable to buffer
overflows from STATS lines with long email and pwd fields.
Impact
A remote attacker could send a specially-crafted STATS line, possibly
resulting in arbitrary code execution or a Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All TPTEST users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/tptest-3.1.7-r2"
|
References
CVE-2009-0650
CVE-2009-0659 |
|