Date: Tue, 17 Mar 2009 00:17:50 +0100 From: Robert Buchholz <rbu@...too.org> To: oss-security@...ts.openwall.com Cc: Will Drewry <redpig@...rt.org>, cve@...too.org Subject: Re: [oCERT-2008-015] glib and glib-predecessor heap overflows On Thursday 12 March 2009, Will Drewry wrote: > #2008-015 glib and glib-predecessors heap overflows > > Description: > > Base64 encoding and decoding functions in glib suffer from > vulnerabilities during memory allocation which may result in > arbitrary code execution when processing large strings. A number of > other GNOME-related applications which predate glib are vulnerable > due to the commonality of this flawed code. ... > (older versions affected only) > libsoup < 2.2.x > libsoup < 2.24 > evolution-data-server < 2.24.5 Evolution Data Server is not affected since version 2.21.1, as it uses GLib's base64 functions. Obviously, using a vulnerable GLib with a current Evolution Data Server still presents a vulnerable setup -- however the advisory and CVE entry should not reflect that as a vulnerability in Evolution Data Server 2.21.1 to 2.24.5. References to changelog entries are in our bug report: https://bugs.gentoo.org/show_bug.cgi?id=262555 Robert Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.