Bug 100777

Summary:	media-gfx/zgv < 5.9 has a vulnerability
Product:	Gentoo Security	Reporter:	Marcelo Goes (RETIRED) <vanquirius>
Component:	Auditing	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.svgalib.org/rus/zgv/
Whiteboard:
Package list:		Runtime testing required:	---

Description Marcelo Goes (RETIRED) gentoo-dev

2005-07-29 20:39:27 UTC

Hello guys,

I found this by chance browsing zgv's homepage.
It says, very clearly,

"WARNING: There is a known vulnerability in zgv 5.8 (and all previous versions)
such that suitably-constructed images can be made to run arbitrary commands when
viewed with zgv - not as root, but as the user running zgv. This still has the
potential to cause serious trouble, so I strongly recommend that existing users
upgrade to the current version."

At first glance, it looks related to
http://www.gentoo.org/security/en/glsa/glsa-200411-12.xml

I am working on a version bump.

Comment 1 Marcelo Goes (RETIRED) gentoo-dev

2005-07-29 20:51:11 UTC

I may have panicked too soon: it seems Gentoo's 5.8 version has its own fix.
Most of Gentoo's 5.8 patch was integrated upstream in 5.9.

I only wonder if 5.9 fixes possible vulnerabilities that Gentoo's patch did not
cover.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-07-30 01:56:50 UTC

Setting to Auditing

Comment 3 Tim Yamin (RETIRED) gentoo-dev

2005-07-31 14:29:30 UTC

Our 5.8 fixes the heap issues as does 5.9; but 5.9 includes a few bugfixes and
hang fix or two so I'd just update but not GLSA it as it is not a security risk.
Thanks for reporting anyway.