Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 201289

Summary: xfce-base/libxfce4util < 4.4.1-r1 Buffer overflow
Product: Gentoo Security Reporter: Christian Hoffmann (RETIRED) <hoffie>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: xfce
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.xfce.org/documentation/changelogs/4.4.2
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 201747    
Bug Blocks:    

Description Christian Hoffmann (RETIRED) gentoo-dev 2007-12-04 22:31:29 UTC 
Upstream changelog for version 4.4.2 lists:
  # Fix possible buffer overflow (reported by Vegard Nosum on the ml).

Don't have any further details, sorry ;)
Comment 1 Christoph Mende (RETIRED) gentoo-dev 2007-12-05 10:29:26 UTC 
backported the fix to 4.4.1-r1
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-12-05 22:31:21 UTC 
Arches, please test and mark stable xfce-base/libxfce4util-4.4.1-r1.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2007-12-05 23:03:13 UTC 
amd64 stable
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2007-12-06 10:10:42 UTC 
x86 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2007-12-06 17:20:58 UTC 
alpha/ia64/sparc stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-06 18:21:12 UTC 
Stable for HPPA.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2007-12-07 14:10:33 UTC 
ppc64 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-07 16:54:14 UTC 
ppc stable
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 23:41:07 UTC 
request filed, but we'll probably group all the xfce stuff into one glsa.
Comment 10 Samuli Suominen (RETIRED) gentoo-dev 2007-12-09 09:06:54 UTC 
bug 201747
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 15:32:01 UTC 
This is an off-by-one read operation on a stack-based buffer in the xfce_mkdirhier() function, reported by Vegard Nossum.

http://thread.gmane.org/gmane.comp.desktop.xfce.devel.version4/14349
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 15:48:22 UTC 
I do not see how this could be exploited. Please reopen if you disagree.
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:56:36 UTC 
Does not affect current (2008.0) release. Removing release.