Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Caol
Caolán McNamara and Dom Lachowiczs wv library has been found to contain a buffer overflow condition that can be exploited through a specially crafted document. If an attacker can convince a user to open an exploit document in HTML mode using an application that builds upon the wv library, it is possible for the attacker to execute arbitrary code under the privileges of that user. iDEFENSE has confirmed the existence of this vulnerability in version 0.7.4, and a slight variant of this vulnerability in versions 0.7.5, 0.7.6 and 1.0.0. http://www.idefense.com/application/poi/display?id=115&type=vulnerabilities I'm not sure, who's the maintainer in this case - metadata.xml is missing.
forgot the patch url mentioned in the advisory: http://www.abisource.com/bonsai/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=wv&command=DIFF_FRAMESET&root=/cvsroot&file=field.c&rev1=1.19&rev2=1.20
Marinus you have committed the last few new versions will you commit a patched ebuild? Also you might want to correct HOMEPAGE to point to the SF page.
added the patch + minor USE fix to the ebuild. Bumped to 1.0.0-r1 all stable (the fixes were minor and i guess this needs to go in).
Ready for a GLSA
GLSA 200407-11
