oss-sec mailing list archives
Re: CVE id request: compface
From: Alex Legler <a3li () gentoo org>
Date: Fri, 03 Jul 2009 14:02:18 +0200
On Mo, 2009-06-29 at 13:48 +0200, Nico Golde wrote:
Hi, there is a buffer overflow in compface: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534973 http://milw0rm.org/exploits/8982
It seems that the vulnerability was introduced by a Debian patch [1], that somehow found its way into Fedora, as well. I cannot find the relevant code in the Gentoo sources, nor does the PoC file cause any abnormal behaviour in our "vanilla" compface. Steven, maybe you want to update the CVE description to limit the scope of the issue? Thanks, Alex [1] http://patch-tracking.debian.net/patch/misc/view/libcompface/1:1.5.2-4/file.c
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: CVE id request: compface Steven M. Christey (Jul 01)
- <Possible follow-ups>
- Re: CVE id request: compface Alex Legler (Jul 03)