Date: Wed, 14 Jan 2009 10:08:00 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> Cc: oss-security@...ts.openwall.com Subject: CVE Request -- amarok Hello Steve, multiple integer overflows (leading to heap-based overflows) and unchecked allocation vulnerabilities has been reported against Amarok multimedia player whep parsing malformed Audible digital audio files. Upstream has fixed these in latest 2.0.1.l release. References: http://www.trapkit.de/advisories/TKADV2009-002.txt http://amarok.kde.org/en/releases/184.108.40.206 (Fix possible buffer overflows when parsing Audible .aa files.) https://bugzilla.redhat.com/show_bug.cgi?id=479946 http://bugs.gentoo.org/show_bug.cgi?id=254896 Proposed solution: Upgrade to latest upstream version 220.127.116.11 Affected Amarok version: amarok-1.4.10-1.fc9 <= x < latest upstream 18.104.22.168 release Attaching also diff for audibletag.cpp file between latest F10 (amarok-2.0-2.fc10) and latest upstream 22.214.171.124 release (see attachment). Could you please allocate a new 2009 CVE id for it? Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team Content of type "text/x-patch" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.