GLSA-200504-07 : GnomeVFS, libcdaudio: CDDB response overflow
High Nessus Plugin ID 18001
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200504-07 (GnomeVFS, libcdaudio: CDDB response overflow)
Joseph VanAndel has discovered a buffer overflow in Grip when processing large CDDB results (see GLSA 200503-21). The same overflow is present in GnomeVFS and libcdaudio code.
A malicious CDDB server could cause applications making use of GnomeVFS or libcdaudio libraries to crash, potentially allowing the execution of arbitrary code with the privileges of the user running the application.
There is no known workaround at this time.
SolutionAll GnomeVFS users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose gnome-base/gnome-vfs All libcdaudio users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=media-libs/libcdaudio-0.99.10-r1'