|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Robert Buchholz (rbu
gentoo.org)
Date: Thu Sep 04 2008 - 14:09:04 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200809-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: yelp: User-assisted execution of arbitrary code
Date: September 04, 2008
Bugs: #234079
ID: 200809-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in yelp can lead to the execution of arbitrary code
when opening a URI, for example through Firefox.
Background
==========
yelp is the default help browser for GNOME.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 gnome-extra/yelp < 2.22.1-r2 >= 2.22.1-r2
*>= 2.20.0-r1
Description
===========
Aaron Grattafiori reported a format string vulnerability in the
window_error() function in yelp-window.c.
Impact
======
A remote attacker can entice a user to open specially crafted "man:" or
"ghelp:" URIs in yelp, or an application using yelp such as Firefox or
Evolution, and execute arbitrary code with the privileges of that user.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All yelp users running GNOME 2.22 should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-extra/yelp-2.22.1-r2"
All yelp users running GNOME 2.20 should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-extra/yelp-2.20.0-r1"
References
==========
[ 1 ] CVE-2008-3533
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3533
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200809-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iQIcBAABAgAGBQJIwDJlAAoJECaaHo/OfoM5CT0P/2MTLS3JNSw8mgKLFDYpx81u
jWxs8wDdDhERbE8ppbmWqOYDmnpYpYgi2yYV6/Ww62t+wAGUr5Clyyxh0esrSLQ4
A8M3vk9FqoriwCaKILtF/cpNUrpMOao15tCdUuxiCqdHwrq2sI/qohjSAgMCo0C8
hNmx0wPw0qKqbMLnKHRFhnF8d6A2byk0URrw754QfTZKx38NRaYzekH6gJYT7l/k
KDEKiWwANU6EN6rGY8ov85nUf7TuH6y4/W1UXdmXIOvQipnf1zh7kZW9vbcHthx6
/nGjY9TygO4Zhz9iERxVzhKXwGsfw1uC+216HHXpju8BToz++Eb6ahbXoW6q/tZa
cOrQokoTeizObqsGlz16VAMGJpCfs6h1FYCUT3PHTuPqdIRiIa3cFb+3MR9gA6RH
U7VuWQG7zZTNCZT5Vhl1PwvCBD4LfC0gd0M8GRgUHuc78XK4hb5WCqW3qsWphJQs
G0KpuOKKmT5J4rQzCf0vkAGtkdmbJjLl3vWyeg+wQdt+0/t9EJyIjY3DRlh1Erk8
vyTQYC685J59fu8YtzDS/5iCu4Fwswe/5UBEmIaX003fupIhxFA5Se0vW/VKZChd
yBvo05GvZbZC+cgk/srXOe0mQALtubS8r2xkdsnTdntE0+eHijybprdYoJlHRzna
6S5QBMLm1gkpPVAadZNP
=3Q/4
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]