Bugzilla – Bug 874723
VUL-0: CVE-2014-2892: libmms: get_answer() buffer overflow
Last modified: 2014-05-02 16:20:30 UTC
CVE-2014-2892 was assigned to this issue. Description: (http://xforce.iss.net/xforce/xfdb/92640) libmms is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the get_answer() function. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. Affected: openSUSE:12.3 libmms-0.6.2 openSUSE:13.1 libmms-0.6.2 Upstream Fix: http://sourceforge.net/p/libmms/code/ci/03bcfccc22919c72742b7338d02859962861e0e8 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2892 http://www.openwall.com/lists/oss-security/2014/04/18/14 http://www.securityfocus.com/bid/66933 http://sourceforge.net/p/libmms/code/ci/master/tree/ChangeLog http://secunia.com/advisories/57875 http://xforce.iss.net/xforce/xfdb/92640
For openSUSE 12.3 and 13.1: created OBS maintenance request id 231188. For openSUSE:Factory: created OBS request id 231189 to multimedia:libs. For SUSE:SLE-12:GA: created IBS request id 36678. I do not see this package in SLE10 and SLE11. Looking at the ChangeLog, it could also be safe to do version update for SLE12.
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (874723) was mentioned in https://build.opensuse.org/request/show/231256 Factory / libmms
openSUSE-SU-2014:0590-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 874723 CVE References: CVE-2014-2892 Sources used: openSUSE 13.1 (src): libmms-0.6.2-13.4.1 openSUSE 12.3 (src): libmms-0.6.2-10.4.1
Fixed and released. Closing bug.