Gentoo Logo

GMime: Arbitrary code execution

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201401-19 / gmime
Release Date January 21, 2014
Latest Revision January 21, 2014: 1
Impact normal
Exploitable local, remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-libs/gmime < 2.4.15 >= 2.4.15, revision >= 2.4.17, revision >= 2.2.26 All supported architectures

Related bugreports: #308051

Synopsis

A buffer overflow error in GMime might allow remote attackers to execute arbitrary code or cause a Denial of Service condition.

2.  Impact Information

Background

GMime is a C/C++ library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME).

Description

GMime contains a buffer overflow flaw in the GMIME_UUENCODE_LEN macro in gmime/gmime-encodings.h.

Impact

A context-dependent attacker could possibly execute arbitrary code or cause a Denial of Service condition.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

GMime 2.4.x users on the PPC64 architecture should upgrade to the latest version:

Code Listing 3.1: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.4.17"

GMime 2.4.x users on other architectures should upgrade to the latest version:

Code Listing 3.2: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.4.15"

GMime 2.2.x users should upgrade to the latest version:

Code Listing 3.3: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.2.26"

Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages.

4.  References



Print

Page updated January 21, 2014

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.