You are here
Home > Preporuke > Ranjivost programskog paketa GMime

Ranjivost programskog paketa GMime

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201401-19
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
http://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Normal
Title: GMime: Arbitrary code execution
Date: January 21, 2014
Bugs: #308051
ID: 201401-19

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis
========

A buffer overflow error in GMime might allow remote attackers to
execute arbitrary code or cause a Denial of Service condition.

Background
==========

GMime is a C/C++ library which may be used for the creation and parsing
of messages using the Multipurpose Internet Mail Extension (MIME).

Affected packages
=================

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 dev-libs/gmime < 2.4.15 >= 2.4.15
*>= 2.4.17
*>= 2.2.26

Description
===========

GMime contains a buffer overflow flaw in the GMIME_UUENCODE_LEN macro
in gmime/gmime-encodings.h.

Impact
======

A context-dependent attacker could possibly execute arbitrary code or
cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

GMime 2.4.x users on the PPC64 architecture should upgrade to the
latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-libs/gmime-2.4.17”

GMime 2.4.x users on other architectures should upgrade to the latest
version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-libs/gmime-2.4.15”

GMime 2.2.x users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-libs/gmime-2.2.26”

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.

References
==========

[ 1 ] CVE-2010-0409
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0409

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-19.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird – http://www.enigmail.net/

iF4EAREIAAYFAlLeybMACgkQAnl3SfnYR/jZygD/ZGeq6dS3DvqJEulS6wpo4F6Z
ig/PYWY0nF7HyBb9SFIBAJdcDo2QE5Tm1I5nCLMldoMvE114i/DAUaZ6ix1DOerf
=4pZE
—–END PGP SIGNATURE—–

Top
More in Preporuke
Višestruke ranjivosti programskog paketa poppler

Otkrivene su višestruke ranjivosti programskog paketa poppler za Gentoo OS. Ranjivosti su udaljeni napadači mogli iskoristiti za uskraćivanje usluge ili...

Close