LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora Extras dump-package security update (CVE-2006-3668)

[Posted August 2, 2006 by ris]

From:  Hans de Goede <j.w.r.degoede-AT-hhs.nl>
To:  fedora-package-announce-AT-redhat.com
Subject:  Fedora Extras dump-package security update (CVE-2006-3668)
Date:  Mon, 31 Jul 2006 21:26:12 +0200

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-EXTRAS-2006-003
---------------------------------------------------------------------
Product:    Fedora Extras [5 devel]
Name:       dumb
Version:    0.9.3
Release:    4
Summary:    IT, XM, S3M and MOD player library
Description:
IT, XM, S3M and MOD player library. Mainly targeted for use with the
allegro game programming library, but it can be used without allegro.
Faithful to the original trackers, especially IT.
---------------------------------------------------------------------
Update Information:

CVE ID: CVE-2006-3668

Luigi Auriemma discovered that DUMB, a tracker music library, performs
insufficient sanitising of values parsed from IT music files. This could
result in a heap-based buffer overflow in the it_read_envelope function
in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and earlier and
current CVS as of 20060716, including libdumb, allows user-complicit
attackers to execute arbitrary code via a ".it" (Impulse Tracker) file
with an envelope with a large number of nodes.

Fedora Extras versions 0.9.3-3 and earlier are vulnerable to this
upgrade to 0.9.3-4 to fix this vulnerability.
---------------------------------------------------------------------
This update can be installed with the 'yum' update program.  Use 'yum
update package-name' at the command line.  For more information, refer
to 'Managing Software with yum,' available at
http://fedora.redhat.com/docs/yum/

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...
(Log in to post comments)

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds