oss-sec mailing list archives
CVE Request -- amarok
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 14 Jan 2009 10:08:00 +0100
Hello Steve, multiple integer overflows (leading to heap-based overflows) and unchecked allocation vulnerabilities has been reported against Amarok multimedia player whep parsing malformed Audible digital audio files. Upstream has fixed these in latest 2.0.1.l release. References: http://www.trapkit.de/advisories/TKADV2009-002.txt http://amarok.kde.org/en/releases/2.0.1.1 (Fix possible buffer overflows when parsing Audible .aa files.) https://bugzilla.redhat.com/show_bug.cgi?id=479946 http://bugs.gentoo.org/show_bug.cgi?id=254896 Proposed solution: Upgrade to latest upstream version 2.0.1.1 Affected Amarok version: amarok-1.4.10-1.fc9 <= x < latest upstream 2.0.1.1 release Attaching also diff for audibletag.cpp file between latest F10 (amarok-2.0-2.fc10) and latest upstream 2.0.1.1 release (see attachment). Could you please allocate a new 2009 CVE id for it? Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Attachment:
_bin
Description:
Current thread:
- CVE Request -- amarok Jan Lieskovsky (Jan 14)
- Re: CVE Request -- amarok Marcus Meissner (Jan 19)
- Re: CVE Request -- amarok Tomas Hoger (Jan 19)
- Re: CVE Request -- amarok Marcus Meissner (Jan 19)
- Re: CVE Request -- amarok Steven M. Christey (Jan 20)
- Re: CVE Request -- amarok Tomas Hoger (Jan 19)
- Re: CVE Request -- amarok Marcus Meissner (Jan 19)