From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GNDPa-0002GS-7F for garchives@archives.gentoo.org; Tue, 12 Sep 2006 18:55:10 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.6) with SMTP id k8CIqaiT006459; Tue, 12 Sep 2006 18:52:36 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.13.8/8.13.6) with ESMTP id k8CIcZRF010715 for ; Tue, 12 Sep 2006 18:38:36 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 6D0DD6455C for ; Tue, 12 Sep 2006 18:38:35 +0000 (UTC) Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26880-17 for ; Tue, 12 Sep 2006 18:38:27 +0000 (UTC) Received: from mx1.falcal.net (falcal.net [81.56.73.55]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 5561F64400 for ; Tue, 12 Sep 2006 18:38:27 +0000 (UTC) Received: from ganesh.falcal.net (ganesh.hsc.fr [192.70.106.184]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "ganesh.falcal.net", Issuer "falcal.net" (verified OK)) by ssl.falcal.net (Postfix) with ESMTP id 1CFA444129; Tue, 12 Sep 2006 20:37:33 +0200 (CEST) Received: by ganesh.falcal.net (Postfix, from userid 1000) id A1F1841DAE9; Tue, 12 Sep 2006 20:41:22 +0200 (CEST) Date: Tue, 12 Sep 2006 20:41:22 +0200 From: Raphael Marichez To: gentoo-announce@lists.gentoo.org Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com Subject: [gentoo-announce] [ GLSA 200609-06 ] AdPlug: Multiple vulnerabilities Message-ID: <20060912184122.GA25748@ganesh.hsc.fr> Mail-Followup-To: gentoo-announce@gentoo.org, bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline Organization: Gentoo Linux Security Team User-Agent: Mutt/1.5.11 X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Status: No, score=-2.28 required=5.5 tests=[AWL=0.184, BAYES_00=-2.599, FORGED_RCVD_HELO=0.135] X-Spam-Score: -2.28 X-Spam-Level: X-Archives-Salt: e0a3c9f5-f852-4158-bdd2-9ec81b4f664a X-Archives-Hash: 01981ad3c7007b020cb5a867d3e83340 --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200609-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: AdPlug: Multiple vulnerabilities Date: September 12, 2006 Bugs: #139593 ID: 200609-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple heap and buffer overflows exist in AdPlug. Background ========== AdPlug is a free, cross-platform, and hardware-independent AdLib sound player library. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/adplug < 2.0.1 >= 2.0.1 Description =========== AdPlug is vulnerable to buffer and heap overflows when processing the following types of files: CFF, MTK, DMO, U6M, DTM, and S3M. Impact ====== By enticing a user to load a specially crafted file, an attacker could execute arbitrary code with the privileges of the user running AdPlug. Workaround ========== There are no known workarounds at this time. Resolution ========== All AdPlug users should update to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/adplug-2.0.1" References ========== [ 1 ] BugTraq Announcement http://www.securityfocus.com/archive/1/439432/30/0/threaded [ 2 ] CVE-2006-3581 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3581 [ 3 ] CVE-2006-3582 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3582 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200609-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFBv9SIS4GNEW6wBQRAlaFAJ9+mZ+f4NNcWx5ztr8+DT+ooZyaJACgp/Wb /WwqWSFdlK8JVtP1XotceJs= =gP/d -----END PGP SIGNATURE----- --FL5UXtIhxfXey3p5-- -- gentoo-announce@gentoo.org mailing list