Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 408209 (CVE-2012-1175) - <www-plugins/gnash-0.8.10-r2 buffer overflow (CVE-2012-1175)
Summary: <www-plugins/gnash-0.8.10-r2 buffer overflow (CVE-2012-1175)
Status: RESOLVED FIXED
Alias: CVE-2012-1175
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2012/q1/631
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: CVE-2011-4328
  Show dependency tree
 
Reported: 2012-03-14 20:20 UTC by Sean Amoss (RETIRED)
Modified: 2012-09-08 15:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2012-03-14 20:20:41 UTC
From the oss-sec mailing list at $URL:

An integer overflow leading to a heap-based buffer overflow was found
and fixed in Gnash.  Could a CVE be assigned to this flaw?

References:

http://git.savannah.gnu.org/cgit/gnash.git/commit/?id=bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527
http://secunia.com/advisories/47183
https://bugzilla.redhat.com/show_bug.cgi?id=803443
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-03-14 22:23:00 UTC
The patch for this security bug was applied in 0.8.10-r2.

Arches, please stabilize www-plugins/gnash-0.8.10-r2
Target keywords: amd64 ppc ~ppc64 ~sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2012-03-15 12:15:52 UTC
amd64 stable
Comment 3 Thomas Kahle (RETIRED) gentoo-dev 2012-03-21 16:46:07 UTC
x86 stable
Comment 4 Tomáš Chvátal (RETIRED) gentoo-dev 2012-05-16 11:34:59 UTC
ppc stable.
Comment 5 Tomáš Chvátal (RETIRED) gentoo-dev 2012-05-16 11:35:29 UTC
Whoops it is security bug, repening.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 23:32:44 UTC
This issue was resolved and addressed in
 GLSA 201207-08 at http://security.gentoo.org/glsa/glsa-201207-08.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:36:12 UTC
CVE-2012-1175 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1175):
  Integer overflow in the GnashImage::size method in libbase/GnashImage.h in
  GNU Gnash 0.8.10 allows remote attackers to cause a denial of service
  (crash) and possibly execute arbitrary code via a crafted SWF file, which
  triggers a heap-based buffer overflow.