| Summary: | <net-libs/libgadu-1.11.4: memory corruption (CVE-2014-3775) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | net-im, reavertm |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2014/05/15/8 | ||
| Whiteboard: | B2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
libgadu-1.11.4 and 1.12.0 are in tree. =net-libs/libgadu-1.11.4 should be stabilized also because of bug 505558. Being stabilized as part of bug #505558 CVE-2014-3775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3775): libgadu before 1.11.4 and 1.12.0 before 1.12.0-rc3, as used in Pidgin and other products, allows remote Gadu-Gadu file relay servers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted message. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). Added to existing GLSA Request This issue was resolved and addressed in GLSA 201508-02 at https://security.gentoo.org/glsa/201508-02 by GLSA coordinator Yury German (BlueKnight). |
From ${URL} : A crafted message from the file relay server may cause memory to beoverwritten. The memory is not overwritten with data sent directly by the server, but security implications cannot be ruled out. The bug is public: http://lists.ziew.org/pipermail/libgadu-devel/2014-May/001171.html http://lists.ziew.org/pipermail/libgadu-devel/2014-May/001180.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.