Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 297373 (CVE-2009-3994)

Summary: media-libs/devil: Stack-based buffer overflow in GetUID() (CVE-2009-3994)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: games
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://sourceforge.net/tracker/download.php?group_id=4470&atid=304470&file_id=353841&aid=2908728
Whiteboard: B2 [ebuild]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:11:51 UTC
CVE-2009-3994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3994):
  Stack-based buffer overflow in the GetUID function in
  src-IL/src/il_dicom.c in DevIL 1.7.8 allows remote attackers to cause
  a denial of service (application crash) or execute arbitrary code via
  a crafted DICOM file.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:13:15 UTC
Patch in $URL.
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2009-12-18 07:07:22 UTC
That's not the version in portage.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 14:57:40 UTC
Description, versioning and product link fitted, but now further research showed that the tree is similar, but il_dicom.c is missing. I'm not sure why yet.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-20 08:45:06 UTC
Our current version in the tree is not affected, only 1.7.8 is. Games, please remember to update to an unaffected version when bumping.