Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 201289 - xfce-base/libxfce4util < 4.4.1-r1 Buffer overflow
Summary: xfce-base/libxfce4util < 4.4.1-r1 Buffer overflow
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on: 201747
  Show dependency tree
Reported: 2007-12-04 22:31 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-03-06 09:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2007-12-04 22:31:29 UTC
Upstream changelog for version 4.4.2 lists:
  # Fix possible buffer overflow (reported by Vegard Nosum on the ml).

Don't have any further details, sorry ;)
Comment 1 Christoph Mende (RETIRED) gentoo-dev 2007-12-05 10:29:26 UTC
backported the fix to 4.4.1-r1
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-12-05 22:31:21 UTC
Arches, please test and mark stable xfce-base/libxfce4util-4.4.1-r1.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2007-12-05 23:03:13 UTC
amd64 stable
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2007-12-06 10:10:42 UTC
x86 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2007-12-06 17:20:58 UTC
alpha/ia64/sparc stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-06 18:21:12 UTC
Stable for HPPA.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2007-12-07 14:10:33 UTC
ppc64 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-07 16:54:14 UTC
ppc stable
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 23:41:07 UTC
request filed, but we'll probably group all the xfce stuff into one glsa.
Comment 10 Samuli Suominen (RETIRED) gentoo-dev 2007-12-09 09:06:54 UTC
bug 201747
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 15:32:01 UTC
This is an off-by-one read operation on a stack-based buffer in the xfce_mkdirhier() function, reported by Vegard Nossum.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 15:48:22 UTC
I do not see how this could be exploited. Please reopen if you disagree.
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:56:36 UTC
Does not affect current (2008.0) release. Removing release.