Bug#520046: glib2.0: CVE-2008-4316 large string vulnerability

Michael Gilbert michael.s.gilbert at gmail.com
Tue Mar 17 01:02:14 UTC 2009


package: glib2.0
severity: grave
tags: security

it has been found that libsoup is vulnerable to an integer overflow
attack, see CVE-2008-4316 [1].  details are:

  Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow
  context-dependent attackers to execute arbitrary code via a long
  string that is converted either (1) from or (2) to a base64
  representation.

since this potentially allows remote attackers to execute arbitrary
code, it should be treated with high urgency.

this was just fixed in ubuntu, so it may be possible to adopt their
patch [2].

note that bug #520039 in libsoup is related (an exact code copy).

if you fix these vulnerabilities, please make sure to include the CVE
id in your changelog.  please contact the security team to coordinate
a fix for stable and/or if you have any questions.

regards,
mike

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316
[2] http://www.ubuntu.com/usn/USN-738-1






More information about the pkg-gnome-maintainers mailing list