Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200411-14 ] Kaffeine, gxine: Remotely exploitable buffer overflow
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Bodhisattva
Bodhisattva


Joined: 25 Feb 2003
Posts: 3829
Location: Essen, Germany

PostPosted: Sun Nov 07, 2004 8:54 pm    Post subject: [ GLSA 200411-14 ] Kaffeine, gxine: Remotely exploitable buf Reply with quote

Gentoo Linux Security Advisory

Title: Kaffeine, gxine: Remotely exploitable buffer overflow (GLSA 200411-14)
Severity: normal
Exploitable: remote
Date: November 07, 2004
Updated: May 22, 2006
Bug(s): #69663, #70055
ID: 200411-14

Synopsis

Kaffeine and gxine both contain a buffer overflow that can be exploited when accessing content from a malicious HTTP server with specially crafted headers.

Background

Kaffeine and gxine are graphical front-ends for xine-lib multimedia library.

Affected Packages

Package: media-video/kaffeine
Vulnerable: < 0.5_rc1-r1
Unaffected: >= 0.5_rc1-r1
Unaffected: >= 0.4.3b-r1 < 0.4.4
Architectures: All supported architectures

Package: media-video/gxine
Vulnerable: < 0.3.3-r1
Unaffected: >= 0.3.3-r1
Architectures: All supported architectures


Description

KF of Secure Network Operations has discovered an overflow that occurs during the Content-Type header processing of Kaffeine. The vulnerable code in Kaffeine is reused from gxine, making gxine vulnerable as well.

Impact

An attacker could create a specially-crafted Content-type header from a malicious HTTP server, and crash a user's instance of Kaffeine or gxine, potentially allowing the execution of arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All Kaffeine users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/kaffeine-0.4.3b-r1"
All gxine users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/gxine-0.3.3-r1"


References

SecurityTracker Advisory
gxine Bug Report
CVE-2004-1034


Last edited by GLSA on Tue May 23, 2006 4:18 am; edited 2 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum