Very very minor IMHO, because it only crashes the application, which is not a server... so the impact is... ~ null Nonetheless, graphics team, can you bump out the 10.34 version ? Software: NetPBM 10.x Description: A vulnerability has been reported in NetPBM, which can be exploited by malicious people to cause a DoS (Denial of Service) . The vulnerability is caused due to an off-by-one boundary error within "pamtofits". This can be exploited to cause a single byte buffer overflow when processing a specially crafted input file. Successful exploitation crashes the application. Code execution has not been confirmed. However, this can't be ruled out completely. The vulnerability has been reported in versions 10.30 through 10.33. Solution: Update to version 10.34. http://sourceforge.net/project/showfiles.php?group_id=5128 Provided and/or discovered by: Reported by vendor. Original Advisory: http://sourceforge.net/project/shownotes.php?release_id=425770
tinderbox says it's used by mail-mta/courier and hylafax, for example, which are server apps.
10.34 in portage
Thanks Vapier; Hello arches, please mark stable -10.34
sparc stable.
ppc64 stable
x86 done
stable on alpha and amd64.
stable on hppa
ppc stable
time to vote. i would vote a half-no (half, because netpbm is used in other softwares)
Definite yes.
I vote no. Who/what server app would use *pamtofits* on untrusted input ?? It's not like if all NetPBM utilities were affected.
Voting NO and closing. Feel free to reopen if you disagree.
Attempting to update to netpbm-10.34 fails because it is dependant on features not available until GCC-4 which has at this time only been marked stable for HPPA and PPC.
