Summary: | net-misc/remmina: LZO Denial of Service and Arbitrary Code Execution through embedded code | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Yury German <blueknight> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | tristan |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://http://seclists.org/oss-sec/2014/q2/676 | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 515246 |
Description
Yury German
2014-06-27 01:00:11 UTC
Remmina does not embed a copy of the LZO library in its source. The only problem I see when remmina[freerdp] pulls freerdp[ffmpeg] which then pulls a vulnerable version of ffmpeg or libav. As previously stated, this issue does not reside directly in the source code. Which I have confirmed. Dependencies introduce this through the FFmpeg library which has been mitigated in bug 515282. Libav issues have been mitigated in bug 515234. |