From http://www.openwall.com/lists/oss-security/2014/05/15/9: [CVE-2014-2977] DirectFB integer signedness vulnerability ________________________________________________________________________ Summary: DirectFB is prone to an integer signedness vulnerability since version 1.4.13. The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB). ________________________________________________________________________ Details: This integer coercion error may lead to a stack overflow. ________________________________________________________________________ CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete ________________________________________________________________________ Disclosure Timeline: 2014-03-27 Developer notified 2014-04-21 CVE-2014-2977 assigned 2014-05-16 Public advisory ________________________________________________________________________ References: http://www.directfb.org/ http://mail.directfb.org/pipermail/directfb-dev/2014-March/006805.html ________________________________________________________________________ From http://www.openwall.com/lists/oss-security/2014/05/15/10: [CVE-2014-2978] DirectFB remote out-of-bounds write vulnerability ________________________________________________________________________ Summary: DirectFB is prone to an out-of-bound write vulnerability since version 1.4.4. The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB). ________________________________________________________________________ Details: An attacker can choose to overflow in the heap or the stack. ________________________________________________________________________ CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete ________________________________________________________________________ Disclosure Timeline: 2014-03-27 Developer notified 2014-04-21 CVE-2014-2978 assigned 2014-05-16 Public advisory ________________________________________________________________________ References: http://www.directfb.org/ http://mail.directfb.org/pipermail/directfb-dev/2014-March/006805.html ________________________________________________________________________ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
directfb is a bitchy package... I'd rather go for backporting the fixes and stabilizing 1.4.9-r2 but the only one who actually uses it seems to be vapier...
CVE-2014-2978 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2978): The Dispatch_Write function in proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB 1.4.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the Voodoo interface, which triggers an out-of-bounds write. CVE-2014-2977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2977): Multiple integer signedness errors in the Dispatch_Write function in proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB 1.4.13 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the Voodoo interface, which triggers a stack-based buffer overflow.
Commit message: Version bump http://sources.gentoo.org/dev-libs/DirectFB/DirectFB-1.7.5.ebuild?rev=1.1 http://sources.gentoo.org/dev-libs/DirectFB/files/DirectFB-1.7.5-flags.patch?rev=1.1
@ Arches, please test and mark stable: =dev-libs/DirectFB-1.7.6
Stable on alpha.
amd64 stable
x86 stable
arm stable
*** Bug 601028 has been marked as a duplicate of this bug. ***
ppc stable
ppc64 stable
Stable for HPPA.
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
vulnerable versions removed.
GLSA request filed.
(In reply to Markus Meier from comment #14) > vulnerable versions removed. I had to revert the removal of =dev-libs/DirectFB-1.4.9-r1 (fa0999c97caa29cbcbf0bb95cea7d769afeb0ec0) which is still needed for =media-libs/FusionSound-1.1.1-r1 (334b90c2fa85adcf5c2f4cbbd046d9cc24d1f248) to fix the Gentoo repository. A removal bug for media-libs/FusionSound was created as bug 606194.
This issue was resolved and addressed in GLSA 201701-55 at https://security.gentoo.org/glsa/201701-55 by GLSA coordinator Aaron Bauman (b-man).
Re-opened for cleanup.
Fusionsound no longer in tree.. please clean-up.
tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a05ee92d9ad72ca9594758747af4dfc1305adfb