Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 100777

Summary: media-gfx/zgv < 5.9 has a vulnerability
Product: Gentoo Security Reporter: Marcelo Goes (RETIRED) <vanquirius>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.svgalib.org/rus/zgv/
Whiteboard:
Package list:
Runtime testing required: ---

Description Marcelo Goes (RETIRED) gentoo-dev 2005-07-29 20:39:27 UTC
Hello guys,

I found this by chance browsing zgv's homepage.
It says, very clearly,

"WARNING: There is a known vulnerability in zgv 5.8 (and all previous versions)
such that suitably-constructed images can be made to run arbitrary commands when
viewed with zgv - not as root, but as the user running zgv. This still has the
potential to cause serious trouble, so I strongly recommend that existing users
upgrade to the current version."

At first glance, it looks related to
http://www.gentoo.org/security/en/glsa/glsa-200411-12.xml

I am working on a version bump.
Comment 1 Marcelo Goes (RETIRED) gentoo-dev 2005-07-29 20:51:11 UTC
I may have panicked too soon: it seems Gentoo's 5.8 version has its own fix.
Most of Gentoo's 5.8 patch was integrated upstream in 5.9.

I only wonder if 5.9 fixes possible vulnerabilities that Gentoo's patch did not
cover.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-07-30 01:56:50 UTC
Setting to Auditing
Comment 3 Tim Yamin (RETIRED) gentoo-dev 2005-07-31 14:29:30 UTC
Our 5.8 fixes the heap issues as does 5.9; but 5.9 includes a few bugfixes and
hang fix or two so I'd just update but not GLSA it as it is not a security risk.
Thanks for reporting anyway.