Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5375482C.7020501@gmail.com>
Date: Fri, 16 May 2014 01:05:16 +0200
From: Frédéric Basse <basse.frederic@...il.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2014-2977] DirectFB integer signedness vulnerability

[CVE-2014-2977] DirectFB integer signedness vulnerability
________________________________________________________________________
Summary:
DirectFB is prone to an integer signedness vulnerability since
version 1.4.13.

The vulnerability can be triggered remotely without authentication
through Voodoo interface (network layer of DirectFB).
________________________________________________________________________
Details:
 This integer coercion error may lead to a stack overflow.
________________________________________________________________________
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
________________________________________________________________________
Disclosure Timeline:
2014-03-27 Developer notified
2014-04-21 CVE-2014-2977 assigned
2014-05-16 Public advisory
________________________________________________________________________
References:
http://www.directfb.org/
http://mail.directfb.org/pipermail/directfb-dev/2014-March/006805.html
________________________________________________________________________


Download attachment "signature.asc" of type "application/pgp-signature" (535 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.