[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] [oCERT-2008-015] glib and glib-predecessor heap overflows
From: Robert Buchholz <rbu () gentoo ! org>
Date: 2009-03-16 23:17:50
Message-ID: 200903170017.58197.rbu () gentoo ! org
[Download RAW message or body]
On Thursday 12 March 2009, Will Drewry wrote:
> #2008-015 glib and glib-predecessors heap overflows
>
> Description:
>
> Base64 encoding and decoding functions in glib suffer from
> vulnerabilities during memory allocation which may result in
> arbitrary code execution when processing large strings. A number of
> other GNOME-related applications which predate glib are vulnerable
> due to the commonality of this flawed code.
...
> (older versions affected only)
> libsoup < 2.2.x
> libsoup < 2.24
> evolution-data-server < 2.24.5
Evolution Data Server is not affected since version 2.21.1, as it uses
GLib's base64 functions. Obviously, using a vulnerable GLib with a
current Evolution Data Server still presents a vulnerable setup --
however the advisory and CVE entry should not reflect that as a
vulnerability in Evolution Data Server 2.21.1 to 2.24.5.
References to changelog entries are in our bug report:
https://bugs.gentoo.org/show_bug.cgi?id=262555
Robert
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic