- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200801-06:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xfce: Multiple vulnerabilities Date: January 09, 2008 Updated: January 09, 2008 Bugs: #201292, #201293 ID: 200801-06:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Xfce might allow user-assisted attackers to execute arbitrary code. Background ========== Xfce is a GTK+ 2 based desktop environment that allows to run a modern desktop environment on modest hardware. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 xfce-base/xfce4-panel < 4.4.2 >= 4.4.2 2 xfce-base/libxfcegui4 < 4.4.2 >= 4.4.2 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== Gregory Andersen reported that the Xfce4 panel does not correctly calculate memory boundaries, leading to a stack-based buffer overflow in the launcher_update_panel_entry() function (CVE-2007-6531). Daichi Kawahata reported libxfcegui4 did not copy provided values when creating "SessionClient" structs, possibly leading to access of freed memory areas (CVE-2007-6532). Impact ====== A remote attacker could entice a user to install a specially crafted "rc" file to execute arbitrary code via long strings in the "Name" and "Comment" fields or via unspecified vectors involving the second vulnerability. Workaround ========== There is no known workaround at this time. Resolution ========== All Xfce4 panel users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=xfce-base/xfce4-panel-4.4.2" All libxfcegui4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=xfce-base/libxfcegui4-4.4.2" Please refer to the Upgrading section of the Xfce Configuration Guide in case you are upgrading from Xfce 4.2. References ========== [ 1 ] CVE-2007-6531 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6531 [ 2 ] CVE-2007-6532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6532 [ 3 ] Xfce Configuration Guide http://www.gentoo.org/doc/en/xfce-config.xml Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200801-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: This is a digitally signed message part.