Bug 198108 (CVE-2006-3582) - CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug
Summary: CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in...
Status: CLOSED NEXTRELEASE
Alias: CVE-2006-3582
Product: Fedora
Classification: Fedora
Component: adplug   
(Show other bugs)
Version: 5
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Linus Walleij
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-07-09 19:01 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-25 20:35:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Ville Skyttä 2006-07-09 19:01:04 UTC
Adplug <= 2.0 and CVS <= 2006-07-04 is reportedly affected by various heap and
stack overflow vulnerabilities.  No CVE id Yet.

http://seclists.org/lists/bugtraq/2006/Jul/0071.html

Comment 2 Linus Walleij 2006-07-25 20:35:14 UTC
Solved by upgrading to the new upstream version.
Thanks for bringing this to attention, Ville!
I hope not too many systems were compromised by
rouge AdLib songs ;-)

Comment 3 Ville Skyttä 2006-07-26 20:47:13 UTC
Thanks for the fix, but please be careful with shared library sonames in the
future.  Packages built against the old one and depending on it are likely to
prevent the new fixed library package from being installed.

Comment 4 Linus Walleij 2006-07-26 21:02:31 UTC
Yeah, sorry I know, in this case I happened to maintain all affected packages
so just rebuilt them.

However, a first timer the question arise: how do I properly retire an .so file
with security vulnerabilities? (Cannot find a good idea in any guidelines.)

Comment 5 Ville Skyttä 2006-07-28 16:17:06 UTC
(In reply to comment #4)
> Yeah, sorry I know, in this case I happened to maintain all affected packages

Yes, but only in FE.  3rd party repositories and local packages which use the
libs are affected too.

> However, a first timer the question arise: how do I properly retire an .so
> file with security vulnerabilities? (Cannot find a good idea in any 
> guidelines.)

If doable and feasible, backporting only the security fixes and avoiding the
soname change would be one way of handling it smoothly.

An incompatible upgrade policy and instructions are slowly in the works, but so
far there is no consensus except that the very least one should do is to send a
mail to fedora-maintainers, notifying about the issue, beforehand if at all
possible so others (including non-FC/FE packagers) can prepare.

Here's one example which IMO is being handled well.
https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00397.html
https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00398.html


Note You need to log in before you can comment on or make changes to this bug.