From Secunia ($URL):
Five vulnerabilities have been reported in FMOD Ex, which can be exploited by malicious people to compromise an application using the library.
The vulnerabilities are caused due to boundary errors within fmodex.dll in the processing of playlist files. These can be exploited to cause stack-based buffer overflows e.g. if an application opens a specially crafted .m3u file.
Successful exploitation allows execution of arbitrary code.
The vulnerabilities are reported in fmodex.dll version 0.4.6.16. Other versions may also be affected.
=media-libs/fmod-4.38.00 is now in Portage, so CCing amd64/x86 for stabilization
@security: Please adjust the bug accordingly.
And because fmod is slotted, I've added this entry to package.mask and CCing games@ so they are informed:
# Samuli Suominen <firstname.lastname@example.org> (30 Oct 2011)
# Masked for security bug #294253, use only at your own risk!
It's up to games@ if they want to keep this mask indefinately, or just simply remove them. I have no opinion.
Stable for amd64, thanks Agostino and Ian!
GLSA request filed.
- games-strategy/savage2-bin was removed because it wasn't compatible with the new media-libs/fmod
- games-strategy/savage-bin got masked for bundling vulnerable copy of media-libs/fmod
This issue was resolved and addressed in
GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).