Quoting Secunia from $URL: A vulnerability has been reported in abcm2ps, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error within the "getarena()" function in abc2ps.c when allocating memory. This can be exploited to potentially cause a heap-based buffer overflow when converting a specially crafted ABC file. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in versions prior to 5.9.13.
Sound: I see that we are several versions behind upstream and it's a leaf package. If you don't want to bump, please consider removal. CVE request: [oss-security] CVE Request -- Abcm2ps v5.9.12 -- multiple unspecified vulnerabilities (From: Jan Lieskovsky <jlieskov@redhat.com>=
20 Aug 2010; Samuli Suominen <ssuominen@gentoo.org> abcm2ps-5.9.15.ebuild: amd64 stable wrt #322859 *abcm2ps-5.9.15 (20 Aug 2010) 20 Aug 2010; Samuli Suominen <ssuominen@gentoo.org> +abcm2ps-5.9.15.ebuild: Version bump wrt #322859 by Alex Legler.
x86 stable
sparc stable
all arch's done, add sound@ back if you need something ->
GLSA Request filed.
CVE-2010-3441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3441): Multiple buffer overflows in abcm2ps before 5.9.12 might allow remote attackers to execute arbitrary code via (1) a crafted input file, related to the PUT0 and PUT1 output macros; (2) a crafted input file, related to the trim_title function; and possibly (3) a long -O option on a command line.
CVE-2010-4744 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4744): Multiple unspecified vulnerabilities in abcm2ps before 5.9.13 have unknown impact and attack vectors, a different issue than CVE-2010-3441.
This issue was resolved and addressed in GLSA 201111-12 at http://security.gentoo.org/glsa/glsa-201111-12.xml by GLSA coordinator Alex Legler (a3li).
