Date: Wed, 14 Jan 2009 10:08:00 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> Cc: oss-security@...ts.openwall.com Subject: CVE Request -- amarok Hello Steve, multiple integer overflows (leading to heap-based overflows) and unchecked allocation vulnerabilities has been reported against Amarok multimedia player whep parsing malformed Audible digital audio files. Upstream has fixed these in latest 2.0.1.l release. References: http://www.trapkit.de/advisories/TKADV2009-002.txt http://amarok.kde.org/en/releases/184.108.40.206 (Fix possible buffer overflows when parsing Audible .aa files.) https://bugzilla.redhat.com/show_bug.cgi?id=479946 http://bugs.gentoo.org/show_bug.cgi?id=254896 Proposed solution: Upgrade to latest upstream version 220.127.116.11 Affected Amarok version: amarok-1.4.10-1.fc9 <= x < latest upstream 18.104.22.168 release Attaching also diff for audibletag.cpp file between latest F10 (amarok-2.0-2.fc10) and latest upstream 22.214.171.124 release (see attachment). Could you please allocate a new 2009 CVE id for it? Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team Content of type "text/x-patch" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ