Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the (1) send_command, (2) string_utf16, (3) get_data, and (4) get_media_packet functions, and possibly other functions.
The debian patch [1] adresses these multiple overflows but our code is really different. A piece of work is needed to have a working patch on Gentoo. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=374577 Note that there is no stable ebuild for this one, so i change the severity to "trivial"/~2 (there will be no glsa)
CC'ing maintainer for advise.
libmms is under video herd but it's used only by gstreamer, foser is the maintainer and he isn't (AFAIK) in media-video alias.
Created attachment 91733 [details, diff] libmms_0.2-7-cumulative.diff This patch was sent by by Lo
Created attachment 91733 [details, diff] libmms_0.2-7-cumulative.diff This patch was sent by by Loïc Minier on xine-devel and should fix all the vulnerabilities currently released. If someone from gstreamer herd can patch this..
the patch looks fine to me, applied it here and it works afaics. I can't apply this myself before sunday however, so if anyone could do that for me it would be much appreciated.
i just put libmms-0.2-r1 in portage with the patch.
Thanks. Seems like this was never stable, so we can close without a GLSA.