To: bugtraq@securityfocus.com
Subject: [ MDKSA-2006:126 ] - Updated libtunepimp packages fixes buffer overflow vulnerabilities.
Date: Tue, 18 Jul 2006 18:33:00 -0600
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1G2zzo-0004vu-4U@mercury.mandriva.com.>
Sender: QATeam User <qateam@mercury.mandriva.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:126
http://www.mandriva.com/security/
_______________________________________________________________________
Package : libtunepimp
Date : July 18, 2006
Affected: 2006.0
_______________________________________________________________________
Problem Description:
Kevin Kofler discovered multiple stack-based buffer overflows in the
LookupTRM::lookup function in libtunepimp 0.4.2 that allow remote
user-complicit attackers to cause a denial of service (application crash)
and possibly execute code via a long (1) Album release date
(MBE_ReleaseGetDate), (2) data, or (3) error strings.
Updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3600
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2006.0:
fdb516cf3dea20bf1d88fdbfd14c6d5c 2006.0/RPMS/libtunepimp2-0.3.0-3.2.20060mdk.i586.rpm
5e10b7d6d6455c3b7be8a8cc21957f04 2006.0/RPMS/libtunepimp2-devel-0.3.0-3.2.20060mdk.i586.rpm
3eb6321a88393a9614346a7104eba2b5 2006.0/RPMS/libtunepimp2-static-devel-0.3.0-3.2.20060mdk.i586.rpm
5dbdeb4ee582712d8fc368d37b6a0174 2006.0/RPMS/libtunepimp2-utils-0.3.0-3.2.20060mdk.i586.rpm
05b7eb248b94c2782ae877304bdc09d2 2006.0/SRPMS/libtunepimp-0.3.0-3.2.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
bce87a055a585ea8591cfefe5da6c6cb x86_64/2006.0/RPMS/lib64tunepimp2-0.3.0-3.2.20060mdk.x86_64.rpm
20a641a6086e7a752b4f52be49dc743a x86_64/2006.0/RPMS/lib64tunepimp2-devel-0.3.0-3.2.20060mdk.x86_64.rpm
14cb96ff49c1607c6ddc58c097bce42f x86_64/2006.0/RPMS/lib64tunepimp2-static-devel-0.3.0-3.2.20060mdk.x86_64.rpm
b8910c32850f889d310cc66d7c03f99e x86_64/2006.0/RPMS/lib64tunepimp2-utils-0.3.0-3.2.20060mdk.x86_64.rpm
05b7eb248b94c2782ae877304bdc09d2 x86_64/2006.0/SRPMS/libtunepimp-0.3.0-3.2.20060mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEvVOqmqjQ0CJFipgRAmT/AJwN6lZ2N9vVrCTCfeu+P4GCqYrvWACfbQWw
ymaorFMK/yxskvkYtm/e7XI=
=AIkB
-----END PGP SIGNATURE-----
