From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GKzB3-0001Kn-T2 for garchives@archives.gentoo.org; Wed, 06 Sep 2006 15:18:58 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.6) with SMTP id k86FHJ7D016005; Wed, 6 Sep 2006 15:17:19 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.13.8/8.13.6) with ESMTP id k86Equn2019970 for ; Wed, 6 Sep 2006 14:52:56 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 4B6B064850 for ; Wed, 6 Sep 2006 14:52:55 +0000 (UTC) Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03675-18 for ; Wed, 6 Sep 2006 14:52:48 +0000 (UTC) Received: from pfepa.post.tele.dk (pfepa.post.tele.dk [195.41.46.235]) by smtp.gentoo.org (Postfix) with ESMTP id 688AB64834 for ; Wed, 6 Sep 2006 14:52:47 +0000 (UTC) Received: from dustyboots.home.coming.dk (unknown [83.88.175.88]) by pfepa.post.tele.dk (Postfix) with ESMTP id 0DC98FAC029; Wed, 6 Sep 2006 16:52:30 +0200 (CEST) From: Sune Kloppenborg Jeppesen To: gentoo-announce@lists.gentoo.org Subject: [gentoo-announce] [ GLSA 200609-01 ] Streamripper: Multiple remote buffer overflows Date: Wed, 6 Sep 2006 16:52:30 +0200 User-Agent: KMail/1.9.1 Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com Organization: Gentoo Linux Security Team X-GPG-Key: http://home.coming.dk/skj.pub.gpg Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3949314.xcLMqoBtrO"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609061652.30770.jaervosz@gentoo.org> X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Status: No, score=-2.329 required=5.5 tests=[AWL=0.270, BAYES_00=-2.599] X-Spam-Score: -2.329 X-Spam-Level: X-Archives-Salt: 6397edd9-4ed5-48bf-9d16-d060b6ddd0d6 X-Archives-Hash: b5c2576ca47209e6cd526a30f95298c7 --nextPart3949314.xcLMqoBtrO Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200609-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Streamripper: Multiple remote buffer overflows Date: September 06, 2006 Bugs: #144861 ID: 200609-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Streamripper is vulnerable to multiple remote buffer overflows, leading to the execution of arbitrary code. Background ========== Streamripper extracts and records individual MP3 file tracks from SHOUTcast streams. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-sound/streamripper < 1.61.26 >= 1.61.26 Description =========== Ulf Harnhammar, from the Debian Security Audit Project, has found that Streamripper is vulnerable to multiple stack based buffer overflows caused by improper bounds checking when processing malformed HTTP headers. Impact ====== By enticing a user to connect to a malicious server, an attacker could execute arbitrary code with the permissions of the user running Streamripper Workaround ========== There is no known workaround at this time. Resolution ========== All Streamripper users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-sound/streamripper-1.61.26" References ========== [ 1 ] CVE-2006-3124 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3124 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200609-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --nextPart3949314.xcLMqoBtrO Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBE/uCuzKC5hMHO6rkRAtgvAJoCWh2aYPKTqFqFRKrFQ4Ld5F6wjwCcCjR8 zMZ/WBWFsy+bRmRGjnXn8z4= =uVD7 -----END PGP SIGNATURE----- --nextPart3949314.xcLMqoBtrO-- -- gentoo-announce@gentoo.org mailing list