1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200608-14 / dumb |
| Release Date | August 08, 2006 |
| Latest Revision | August 08, 2006: 01 |
| Impact | normal |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| media-libs/dumb | < 0.9.3-r1 | >= 0.9.3-r1 | All supported architectures |
Related bugreports: #142387
A heap-based buffer overflow in DUMB could result in the execution of arbitrary code.
DUMB (Dynamic Universal Music Bibliotheque) is an IT, XM, S3M and MOD player library.
Luigi Auriemma found a heap-based buffer overflow in the it_read_envelope function which reads the envelope values for volume, pan and pitch of the instruments referenced in a ".it" (Impulse Tracker) file with a large number of nodes.
By enticing a user to load a malicious ".it" (Impulse Tracker) file, an attacker may execute arbitrary code with the rights of the user running the application that uses a vulnerable DUMB library.
There is no known workaround at this time.
All users of DUMB should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/dumb-0.9.3-r1" |