oss-sec mailing list archives
Re: [oCERT-2008-015] glib and glib-predecessor heap overflows
From: Robert Buchholz <rbu () gentoo org>
Date: Tue, 17 Mar 2009 00:17:50 +0100
On Thursday 12 March 2009, Will Drewry wrote:
#2008-015 glib and glib-predecessors heap overflows Description: Base64 encoding and decoding functions in glib suffer from vulnerabilities during memory allocation which may result in arbitrary code execution when processing large strings. A number of other GNOME-related applications which predate glib are vulnerable due to the commonality of this flawed code.
...
(older versions affected only) libsoup < 2.2.x libsoup < 2.24 evolution-data-server < 2.24.5
Evolution Data Server is not affected since version 2.21.1, as it uses GLib's base64 functions. Obviously, using a vulnerable GLib with a current Evolution Data Server still presents a vulnerable setup -- however the advisory and CVE entry should not reflect that as a vulnerability in Evolution Data Server 2.21.1 to 2.24.5. References to changelog entries are in our bug report: https://bugs.gentoo.org/show_bug.cgi?id=262555 Robert
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- [oCERT-2008-015] glib and glib-predecessor heap overflows Will Drewry (Mar 12)
- Re: [oCERT-2008-015] glib and glib-predecessor heap overflows Robert Buchholz (Mar 16)