Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 217986
Alias:
Product:
Component:
Status: ASSIGNED
Resolution:
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 217986 depends on: Show dependency tree
Bug 217986 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-04-16 17:32 0000 
CVE-2008-1771 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1771):
  Integer overflow in the ws_getpostvars function in Firefly Media Server
  (formerly mt-daapd) 0.2.4.1 (0.9~r1696-1.2 on Debian) allows remote attackers
  to cause a denial of service (crash) and possibly execute arbitrary code via
  an HTTP POST request with a large Content-Length.

------- Comment #1 From Robert Buchholz 2008-04-17 19:50:48 0000 ------- 
nion proposed a fix for the 0.9 svn trunk.
http://people.debian.org/~nion/nmu-diff/mt-daapd-0.9~r1696-1.2_0.9~r1696-1.3.patch

------- Comment #2 From Robert Buchholz 2008-05-12 00:53:45 0000 ------- 
0.2.4.2 was released with a fix. Please update the ebuild

------- Comment #3 From Pierre-Yves Rofes 2008-07-06 21:04:16 0000 ------- 
(In reply to comment #2)
> 0.2.4.2 was released with a fix. Please update the ebuild
> 

*ping*

------- Comment #4 From Peter Alfredsen 2008-07-06 22:03:50 0000 ------- 
+*mt-daapd-0.2.4.2 (06 Jul 2008)
+
+  06 Jul 2008; Peter Alfredsen <loki_val@gentoo.org>
+  +files/mt-daapd-0.2.4.2-maintainer-mode.patch, +mt-daapd-0.2.4.2.ebuild:
+  Security bump for CVE-2008-1771 wrt bug #217986.
+

------- Comment #5 From Robert Buchholz 2008-07-06 22:11:07 0000 ------- 
Arches, please test and mark stable:
=media-sound/mt-daapd-0.2.4.2
Target keywords : "amd64 arm ppc sh sparc x86"

------- Comment #6 From Markus Meier 2008-07-07 20:45:12 0000 ------- 
amd64/x86 stable

------- Comment #7 From Tobias Scherbaum 2008-07-08 17:02:14 0000 ------- 
ppc stable

------- Comment #8 From Raúl Porcel 2008-07-09 11:07:06 0000 ------- 
sparc stable

------- Comment #9 From Matthias Geerdsen 2008-07-09 11:11:33 0000 ------- 
arches stable... ready for GLSA

But there is still bug 204063, could someone verify if this version is still
affected by that issue or not please. To me it appeared to be.

------- Comment #10 From Raúl Porcel 2008-09-27 16:25:09 0000 ------- 
arm/sh stable

------- Comment #11 From Raphael Marichez 2009-01-11 17:36:18 0000 ------- 
I would like to issue a glsa for it, since the severity of the current bug is
higher than bug 204063.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug