411493 – <www-client/links-2.6 : Graphics Renderer and XBM Decoder Vulnerabilities

Bug 411493 - <www-client/links-2.6 : Graphics Renderer and XBM Decoder Vulnerabilities

Summary: <www-client/links-2.6 : Graphics Renderer and XBM Decoder Vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/48689/
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-04-10 18:17 UTC by Agostino Sarubbo
Modified:	2012-06-25 19:11 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2012-04-10 18:17:58 UTC

From secunia security advisory at $URL:

Description
Some vulnerabilities have been reported in Links, which can be exploited by malicious people to potentially compromise a user's system.

1) An unspecified error within the graphics renderer can be exploited to cause an out-of-bounds write.

2) An unspecified error within the XBM decoder can be exploited to cause out-of-bounds read and write.

The vulnerabilities are reported in versions prior to 2.6.


Solution
Update to version 2.6.

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2012-04-10 19:46:54 UTC

+*links-2.6 (10 Apr 2012)
+
+  10 Apr 2012; Samuli Suominen <ssuominen@gentoo.org> +links-2.6.ebuild,
+  metadata.xml:
+  Version bump wrt security #411493 (Graphics Renderer and XBM Decoder
+  Vulnerabilities). Missing %u in Exec= line to pass links to links -g, see
+  http://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest
+  .html#exec-variables. USE="deprecated" as first step to get rid of the
+  deprecated links2 compability symlink whih is enabled by default for now.

Test and stabilize:

=www-client/links-2.6 "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2012-04-11 02:31:14 UTC

Stable for HPPA.

Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-04-11 02:54:18 UTC

x86 stable

Comment 4 Maurizio Camisaschi (amd64 AT) 2012-04-12 11:19:29 UTC

amd64 ok

Comment 5 Agostino Sarubbo gentoo-dev

2012-04-13 09:17:34 UTC

amd64 stable

Comment 6 Markus Meier gentoo-dev

2012-04-14 15:11:58 UTC

arm stable

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2012-04-15 18:14:00 UTC

alpha/ia64/s390/sh/sparc stable

Comment 8 Brent Baude (RETIRED) gentoo-dev

2012-04-16 17:04:20 UTC

ppc done

Comment 9 Mark Loeser (RETIRED) gentoo-dev

2012-05-06 19:14:38 UTC

ppc64 done

Comment 10 Tim Sammut (RETIRED) gentoo-dev

2012-05-07 02:55:30 UTC

Thanks everyone. Added to existing GLSA request.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2012-06-25 19:11:28 UTC

This issue was resolved and addressed in
 GLSA 201206-32 at http://security.gentoo.org/glsa/glsa-201206-32.xml
by GLSA coordinator Stefan Behte (craig).