Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 17 Mar 2009 00:17:50 +0100
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Cc: Will Drewry <redpig@...rt.org>,
 cve@...too.org
Subject: Re: [oCERT-2008-015] glib and glib-predecessor heap overflows

On Thursday 12 March 2009, Will Drewry wrote:
> #2008-015 glib and glib-predecessors heap overflows
>
> Description:
>
> Base64 encoding and decoding functions in glib suffer from
> vulnerabilities during memory allocation which may result in
> arbitrary code execution when processing large strings.  A number of
> other GNOME-related applications which predate glib are vulnerable
> due to the commonality of this flawed code.
...
> (older versions affected only)
> libsoup < 2.2.x
> libsoup < 2.24
> evolution-data-server < 2.24.5

Evolution Data Server is not affected since version 2.21.1, as it uses 
GLib's base64 functions. Obviously, using a vulnerable GLib with a 
current Evolution Data Server still presents a vulnerable setup -- 
however the advisory and CVE entry should not reflect that as a 
vulnerability in Evolution Data Server 2.21.1 to 2.24.5.

References to changelog entries are in our bug report:
https://bugs.gentoo.org/show_bug.cgi?id=262555


Robert

Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.