Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507822 (CVE-2014-2892) - <media-libs/libmms-0.6.4: MMSH Server Response Parsing Buffer Overflow Vulnerability (CVE-2014-2892)
Summary: <media-libs/libmms-0.6.4: MMSH Server Response Parsing Buffer Overflow Vulner...
Alias: CVE-2014-2892
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2014-04-16 12:34 UTC by Agostino Sarubbo
Modified: 2016-12-11 23:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-16 12:34:08 UTC
From ${URL} :


A vulnerability has been reported in libmms, which can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to a boundary error within the "get_answer()" function (src/mmsh.c) when handling MMS-over-HTTP server response, which can be exploited to cause a heap-based buffer overflow via a specially crafted response containing an overly long line.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 0.6.4.

Update to version 0.6.4.

Provided and/or discovered by:
The vendor credits Alex Chapman.

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrick McLean gentoo-dev 2014-04-25 17:17:47 UTC
media-libs/libmms-0.6.4 is in the tree. It should be ok to test/stabilize right away.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-10-14 21:27:47 UTC
CVE-2014-2892 (
  Heap-based buffer overflow in the get_answer function in mmsh.c in libmms
  before 0.6.4 allows remote attackers to execute arbitrary code via a long
  line in an MMS over HTTP (MMSH) server response.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-22 09:24:56 UTC
@arches, please stabilize:

Comment 4 Agostino Sarubbo gentoo-dev 2016-03-22 14:33:49 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-26 09:09:53 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-27 10:16:38 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-04-11 10:39:14 UTC
x86 stable
Comment 8 Tobias Klausmann gentoo-dev 2016-05-20 11:28:05 UTC
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 10:03:25 UTC
sparc stable.

Maintainer(s), please cleanup.
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-11 09:01:13 UTC
@maintainer(s), please clean the vulnerable versions.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-12-11 23:58:29 UTC
This issue was resolved and addressed in
 GLSA 201612-29 at
by GLSA coordinator Kristian Fiskerstrand (K_F).