Gentoo Logo

Buffer overflows and format string vulnerabilities in LCDproc

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200404-19 / lcdproc
Release Date April 27, 2004
Latest Revision April 27, 2004: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-misc/lcdproc <= 0.4.4-r1 >= 0.4.5 All supported architectures

Related bugreports: #47340

Synopsis

Multiple remote vulnerabilities have been found in the LCDd server, allowing execution of arbitrary code with the rights of the LCDd user.

2.  Impact Information

Background

LCDproc is a program that displays various bits of real-time system information on an LCD. It makes use of a local server (LCDd) to collect information to display on the LCD.

Description

Due to insufficient checking of client-supplied data, the LCDd server is susceptible to two buffer overflows and one string buffer vulnerability. If the server is configured to listen on all network interfaces (see the Bind parameter in LCDproc configuration), these vulnerabilities can be triggered remotely.

Impact

These vulnerabilities allow an attacker to execute code with the rights of the user running the LCDproc server. By default, this is the "nobody" user.

3.  Resolution Information

Workaround

A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package.

Resolution

LCDproc users should upgrade to version 0.4.5 or later:

Code Listing 3.1: Resolution

# emerge sync
# emerge -pv ">=app-misc/lcdproc-0.4.5"
# emerge ">=app-misc/lcdproc-0.4.5"

4.  References



Print

Page updated April 27, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.