Gentoo 2508 Published by

The following 10 security updates are available for Gentoo Linux:



[ GLSA 201401-25 ] ldns: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: ldns: Arbitrary code execution
Date: January 21, 2014
Bugs: #384249
ID: 201401-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A heap-based buffer overflow in ldns might allow remote attackers to
execute arbitrary code or cause a Denial of Service condition.

Background
==========

ldns is a fast DNS library with the goal to simplify DNS programming
and to allow developers to easily create software conforming to current
RFCs and Internet drafts.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/ldns < 1.6.11 >= 1.6.11

Description
===========

ldns contains a heap-based buffer overflow in the
ldns_rr_new_frm_str_internal function.

Impact
======

A remote attacker could execute arbitrary code or cause a Denial of
Service condition with a crafted Resource Record.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ldns users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/ldns-1.6.11"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying these packages.

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since October 11, 2011. It is likely that your system is
already no longer affected by this issue.

References
==========

[ 1 ] CVE-2011-3581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3581

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-25.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201401-24 ] INN: Man-in-the-middle attack
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Low
Title: INN: Man-in-the-middle attack
Date: January 21, 2014
Bugs: #432002
ID: 201401-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in INN's STARTTLS implementation could allow a remote
attacker to conduct a man-in-the-middle attack.

Background
==========

INN is a news server which can interface with Usenet.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-nntp/inn < 2.5.3 >= 2.5.3

Description
===========

INN's I/O buffering is not correctly restricted.

Impact
======

A remote attacker could inject commands into encrypted NNTP sessions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All INN users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-nntp/inn-2.5.3"

References
==========

[ 1 ] CVE-2012-3523
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3523

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-24.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201401-23 ] sudo: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: sudo: Privilege escalation
Date: January 21, 2014
Bugs: #459722
ID: 201401-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in sudo which could result in
privilege escalation.

Background
==========

sudo allows a system administrator to give users the ability to run
commands as other users. Access to commands may also be granted on a
range to hosts.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/sudo < 1.8.6_p7 >= 1.8.6_p7

Description
===========

Multiple vulnerabilities have been found in sudo:

* sudo does not correctly validate the controlling terminal on a system
without /proc or when the tty_tickets option is enabled.
* sudo does not properly handle the clock when it is set to the epoch.

Impact
======

A local attacker with sudo privileges could connect to the stdin,
stdout, and stderr of the terminal of a user who has authenticated with
sudo, allowing the attacker to hijack the authorization of the other
user. Additionally, a local or physically proximate attacker could set
the system clock to the epoch, bypassing time restrictions on sudo
authentication.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All sudo users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.6_p7"

References
==========

[ 1 ] CVE-2013-1775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1775
[ 2 ] CVE-2013-1776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1776
[ 3 ] CVE-2013-2776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2776
[ 4 ] CVE-2013-2777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2777

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-23.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201401-22 ] Active Record: SQL injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Low
Title: Active Record: SQL injection
Date: January 21, 2014
Bugs: #449826
ID: 201401-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in Active Record could allow a remote attacker to
inject SQL commands.

Background
==========

Active Record is a Ruby gem that allows database entries to be
manipulated as objects.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-ruby/activerecord < 2.3.14-r1 >= 2.3.14-r1

Description
===========

An Active Record method parameter can mistakenly be used as a scope.

Impact
======

A remote attacker could use specially crafted input to execute
arbitrary SQL statements.

Workaround
==========

The vulnerability may be mitigated by converting the input to an
expected value. This is accomplished by changing instances of
'Post.find_by_id(params[:id])' in code using Active Record to
'Post.find_by_id(params[:id].to_s)'

Resolution
==========

All Active Record users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=dev-ruby/activerecord-2.3.14-r1"

References
==========

[ 1 ] CVE-2012-6496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6496

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-22.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201401-21 ] Poppler: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Poppler: Multiple vulnerabilities
Date: January 21, 2014
Bugs: #489720, #496770
ID: 201401-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Poppler, allowing remote
attackers to execute arbitrary code or cause a Denial of Service
condition.

Background
==========

Poppler is a cross-platform PDF rendering library originally based on
Xpdf.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/poppler < 0.24.5 >= 0.24.5

Description
===========

Multiple vulnerabilities have been discovered in Poppler. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could entice a user to open a specially crafted PDF
in an application linked against Poppler, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Poppler users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.24.5"

References
==========

[ 1 ] CVE-2013-4473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4473
[ 2 ] CVE-2013-4474
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4474
[ 3 ] CVE-2013-7296
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7296

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-21.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201401-20 ] Cacti: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Cacti: Multiple vulnerabilities
Date: January 21, 2014
Bugs: #324031, #480196
ID: 201401-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Cacti, allowing attackers
to execute arbitrary code or perform XSS attacks.

Background
==========

Cacti is a complete network graphing solution designed to harness the
power of RRDTool's data storage and graphing functionality.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/cacti < 0.8.8b >= 0.8.8b

Description
===========

Multiple vulnerabilities have been discovered in Cacti. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could execute arbitrary SQL commands via specially
crafted parameters, execute arbitrary shell code or inject malicious
script code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Cacti users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.8b"

References
==========

[ 1 ] CVE-2010-1644
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1644
[ 2 ] CVE-2010-1645
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1645
[ 3 ] CVE-2010-2092
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2092
[ 4 ] CVE-2010-2543
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2543
[ 5 ] CVE-2010-2544
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2544
[ 6 ] CVE-2010-2545
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2545
[ 7 ] CVE-2013-1434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1434
[ 8 ] CVE-2013-1435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1435

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-20.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201401-19 ] GMime: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GMime: Arbitrary code execution
Date: January 21, 2014
Bugs: #308051
ID: 201401-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow error in GMime might allow remote attackers to
execute arbitrary code or cause a Denial of Service condition.

Background
==========

GMime is a C/C++ library which may be used for the creation and parsing
of messages using the Multipurpose Internet Mail Extension (MIME).

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/gmime < 2.4.15 >= 2.4.15
*>= 2.4.17
*>= 2.2.26

Description
===========

GMime contains a buffer overflow flaw in the GMIME_UUENCODE_LEN macro
in gmime/gmime-encodings.h.

Impact
======

A context-dependent attacker could possibly execute arbitrary code or
cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

GMime 2.4.x users on the PPC64 architecture should upgrade to the
latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.4.17"

GMime 2.4.x users on other architectures should upgrade to the latest
version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.4.15"

GMime 2.2.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.2.26"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.

References
==========

[ 1 ] CVE-2010-0409
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0409

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-19.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201401-18 ] OpenSC: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: OpenSC: Arbitrary code execution
Date: January 21, 2014
Bugs: #349567
ID: 201401-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple stack-based buffer overflows have been found in OpenSC,
allowing attackers to execute arbitrary code.

Background
==========

OpenSC is a tools and libraries for smart cards.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/opensc < 0.11.13-r2 >= 0.11.13-r2

Description
===========

Multiple stack-based buffer overflow errors have been discovered in
OpenSC.

Impact
======

A physically proximate attacker could possibly execute arbitrary code
using a specially crafted smart card.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenSC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/opensc-0.11.13-r2"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.

References
==========

[ 1 ] CVE-2010-4523
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4523

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-18.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201401-17 ] PCSC-Lite: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: PCSC-Lite: Arbitrary code execution
Date: January 21, 2014
Bugs: #349561
ID: 201401-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in PCSC-Lite could result in execution of arbitrary
code or Denial of Service.

Background
==========

PCSC-Lite is a PC/SC Architecture smartcard middleware library.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/pcsc-lite < 1.6.6 >= 1.6.6

Description
===========

PCSC-Lite contains a stack-based buffer overflow in the ATRDecodeAtr
function in the
Answer-to-Reset Handler (atrhandler.c).

Impact
======

A physically proximate attacker could execute arbitrary code or cause a
Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PCSC-Lite users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/pcsc-lite-1.6.6"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since January 10, 2011. It is likely that your system is
already no longer affected by this issue.

References
==========

[ 1 ] CVE-2010-4531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4531

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-17.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201401-16 ] CCID: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: CCID: Arbitrary code execution
Date: January 21, 2014
Bugs: #349559
ID: 201401-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in CCID could result in execution of arbitrary code.

Background
==========

CCID is a generic USB Chip/Smart Card Interface Devices driver.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-crypt/ccid < 1.4.1-r1 >= 1.4.1-r1

Description
===========

CCID contains an integer overflow vulnerability in ccid_serial.c.

Impact
======

A physically proximate attacker could execute arbitrary code via a
smart card with a specially crafted
serial number.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All CCID users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/ccid-1.4.1-r1"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since January 21, 2011. It is likely that your system is
already no longer affected by this issue.

References
==========

[ 1 ] CVE-2010-4530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4530

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201401-16.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5