Fedora Extras dump-package security update (CVE-2006-3668)

Hans de Goede j.w.r.degoede at hhs.nl
Mon Jul 31 19:26:12 UTC 2006


---------------------------------------------------------------------
Fedora Update Notification
FEDORA-EXTRAS-2006-003
---------------------------------------------------------------------
Product:    Fedora Extras [5 devel]
Name:       dumb
Version:    0.9.3
Release:    4
Summary:    IT, XM, S3M and MOD player library
Description:
IT, XM, S3M and MOD player library. Mainly targeted for use with the
allegro game programming library, but it can be used without allegro.
Faithful to the original trackers, especially IT.
---------------------------------------------------------------------
Update Information:

CVE ID: CVE-2006-3668

Luigi Auriemma discovered that DUMB, a tracker music library, performs
insufficient sanitising of values parsed from IT music files. This could
result in a heap-based buffer overflow in the it_read_envelope function
in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and earlier and
current CVS as of 20060716, including libdumb, allows user-complicit
attackers to execute arbitrary code via a ".it" (Impulse Tracker) file
with an envelope with a large number of nodes.

Fedora Extras versions 0.9.3-3 and earlier are vulnerable to this
upgrade to 0.9.3-4 to fix this vulnerability.
---------------------------------------------------------------------
This update can be installed with the 'yum' update program.  Use 'yum
update package-name' at the command line.  For more information, refer
to 'Managing Software with yum,' available at
http://fedora.redhat.com/docs/yum/




More information about the package-announce mailing list