Bug 255217 (CVE-2008-5262)

Summary:	media-libs/devil<1.7.7 Multiple buffer overflows (CVE-2008-5262)
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	games, mr_bones_
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/secunia_research/2008-59/
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	258748
Bug Blocks:

Description Stefan Behte (RETIRED) gentoo-dev

2009-01-16 22:48:02 UTC

CVE-2008-5262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5262):
  Multiple stack-based buffer overflows in the iGetHdrHeader function
  in src-IL/src/il_hdr.c in DevIL 1.7.4 allow context-dependent
  attackers to execute arbitrary code via a crafted Radiance RGBE file.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-01-18 12:15:46 UTC

The upstream patch is off-by-one, as reported by Nico Golde in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512122

Comment 2 Mr. Bones. (RETIRED) gentoo-dev

2009-02-12 18:19:46 UTC

Added devil-1.7.7 to the tree and put in a stablereq bug (bug #258748).

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2009-02-12 19:39:19 UTC

*** Bug 258748 has been marked as a duplicate of this bug. ***

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2009-02-12 19:40:15 UTC

Arches, please test and mark stable:
=media-libs/devil-1.7.7
Target keywords : "amd64 ia64 ppc sparc x86"

Comment 5 Markus Meier gentoo-dev

2009-02-14 20:51:56 UTC

amd64/x86 stable

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2009-02-16 14:21:04 UTC

ia64/sparc stable

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2009-02-25 16:15:40 UTC

ppc stable

Comment 8 Tobias Heinlein (RETIRED) gentoo-dev

2009-03-05 20:18:14 UTC

GLSA request filed.

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev

2009-03-06 22:45:40 UTC

GLSA 200903-04, thanks everyone, sorry about the delay.