53903 2004-06-14 10:11 0000 app-emulation/vice-1.14 - monitor memory dump format string vulnerability 2004-06-16 07:54:23 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All All RESOLVED FIXED http://www.trikaliotis.net/vicekb/vsa-2004-1 C2 [glsa] P2 normal --- 1 carlo@gentoo.org security@gentoo.org games@gentoo.org carlo@gentoo.org 2004-06-14 10:11:08 0000 There is a format string vulnerability in the handling of the monitor "memory dump" command. If the string to be output contains any % sign, it is interpreted as a command for the output, normally resulting in a crash. Even more sophisticated exploits, like arbitrary code execution on the host machine, are possible. http://www.trikaliotis.net/vicekb/vsa-2004-1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0453 http://www.trikaliotis.net/vicekb/vice-1.14-mon-vuln.diff.gz koon@gentoo.org 2004-06-14 13:34:40 0000 CAN-2004-0453 games : it looks like app-emulation/vice is in your herd... Could you apply the provided patch and bump the ebuild ? Thanks. mr_bones_@gentoo.org 2004-06-14 17:47:00 0000 vice-1.14-r1.ebuild in CVS with the patch. Go ahead and close. jaervosz@gentoo.org 2004-06-15 14:39:04 0000 GLSA drafted: security please review. Note: - Changed the severity to low as a user have to type a specific string for this bug to be exploitable. Referenced advisory also rates severity as low. - CAN-2004-0453 reference is not included as it is still under review. mr_bones_@gentoo.org 2004-06-15 15:32:09 0000 Yeah, I don't know if it's worth sending out a glsa on this. There is no privilege escalation due to the bug in vice. It's basically the same as telling some noob to run a dangerous command from the command-line. koon@gentoo.org 2004-06-16 01:21:16 0000 aervosz and I agree for no GLSA on this one. Closing. wolf31o2@gentoo.org 2004-06-16 05:21:00 0000 Was it mentioned in the ChangeLog that there was a security fix? From what I have gathered from our users, silently fixing a security flaw, no matter how small, is bad in their eyes. I think it would probably be better to issue a GLSA mentioning the fact that the bug was only exploitable by a user to give privileges of the same user, and therefore of very low severity, but still a GLSA should be issued. After all, there *was* a security bug that has now been resolved. Is that not what a GLSA is for? *grin* koon@gentoo.org 2004-06-16 07:24:02 0000 A vulnerability requiring, to be exploited, that you type an esoteric command yourself is not really a vulnerability. It shouldn't have been a security bug in the first place. Otherwise bash and rm are vulnerable too, and should be masked :) If you still disagree, please comment. wolf31o2@gentoo.org 2004-06-16 07:54:23 0000 You're right. That isn't an "exploit" but rather a simple "bug" in the code.