297373 – (CVE-2009-3994) media-libs/devil: Stack-based buffer overflow in GetUID() (CVE-2009-3994)

Bug 297373 (CVE-2009-3994) - media-libs/devil: Stack-based buffer overflow in GetUID() (CVE-2009-3994)

Summary: media-libs/devil: Stack-based buffer overflow in GetUID() (CVE-2009-3994)

Status:	RESOLVED INVALID

Alias:	CVE-2009-3994

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://sourceforge.net/tracker/downlo...
Whiteboard:	B2 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2009-12-18 01:11 UTC by Stefan Behte (RETIRED)
Modified:	2009-12-20 08:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2009-12-18 01:11:51 UTC

CVE-2009-3994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3994):
  Stack-based buffer overflow in the GetUID function in
  src-IL/src/il_dicom.c in DevIL 1.7.8 allows remote attackers to cause
  a denial of service (application crash) or execute arbitrary code via
  a crafted DICOM file.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2009-12-18 01:13:15 UTC

Patch in $URL.

Comment 2 Mr. Bones. (RETIRED) gentoo-dev

2009-12-18 07:07:22 UTC

That's not the version in portage.

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2009-12-18 14:57:40 UTC

Description, versioning and product link fitted, but now further research showed that the tree is similar, but il_dicom.c is missing. I'm not sure why yet.

Comment 4 Alex Legler (RETIRED) archtester

2009-12-20 08:45:06 UTC

Our current version in the tree is not affected, only 1.7.8 is. Games, please remember to update to an unaffected version when bumping.