oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2014-2977] DirectFB integer signedness vulnerability

From: Frédéric Basse <basse.frederic () gmail com>
Date: Fri, 16 May 2014 01:05:16 +0200
[CVE-2014-2977] DirectFB integer signedness vulnerability
________________________________________________________________________
Summary:
DirectFB is prone to an integer signedness vulnerability since
version 1.4.13.

The vulnerability can be triggered remotely without authentication
through Voodoo interface (network layer of DirectFB).
________________________________________________________________________
Details:
 This integer coercion error may lead to a stack overflow.
________________________________________________________________________
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
________________________________________________________________________
Disclosure Timeline:
2014-03-27 Developer notified
2014-04-21 CVE-2014-2977 assigned
2014-05-16 Public advisory
________________________________________________________________________
References:
http://www.directfb.org/
http://mail.directfb.org/pipermail/directfb-dev/2014-March/006805.html
________________________________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: