The following 10 security updates are available for Gentoo Linux:
[ GLSA 201401-25 ] ldns: Arbitrary code execution
[ GLSA 201401-25 ] ldns: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -[ GLSA 201401-24 ] INN: Man-in-the-middle attack
Gentoo Linux Security Advisory GLSA 201401-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: ldns: Arbitrary code execution
Date: January 21, 2014
Bugs: #384249
ID: 201401-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A heap-based buffer overflow in ldns might allow remote attackers to
execute arbitrary code or cause a Denial of Service condition.
Background
==========
ldns is a fast DNS library with the goal to simplify DNS programming
and to allow developers to easily create software conforming to current
RFCs and Internet drafts.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/ldns < 1.6.11 >= 1.6.11
Description
===========
ldns contains a heap-based buffer overflow in the
ldns_rr_new_frm_str_internal function.
Impact
======
A remote attacker could execute arbitrary code or cause a Denial of
Service condition with a crafted Resource Record.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All ldns users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/ldns-1.6.11"
Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying these packages.
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since October 11, 2011. It is likely that your system is
already no longer affected by this issue.
References
==========
[ 1 ] CVE-2011-3581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3581
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-25.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -[ GLSA 201401-23 ] sudo: Privilege escalation
Gentoo Linux Security Advisory GLSA 201401-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: INN: Man-in-the-middle attack
Date: January 21, 2014
Bugs: #432002
ID: 201401-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in INN's STARTTLS implementation could allow a remote
attacker to conduct a man-in-the-middle attack.
Background
==========
INN is a news server which can interface with Usenet.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-nntp/inn < 2.5.3 >= 2.5.3
Description
===========
INN's I/O buffering is not correctly restricted.
Impact
======
A remote attacker could inject commands into encrypted NNTP sessions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All INN users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-nntp/inn-2.5.3"
References
==========
[ 1 ] CVE-2012-3523
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3523
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-24.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -[ GLSA 201401-22 ] Active Record: SQL injection
Gentoo Linux Security Advisory GLSA 201401-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: sudo: Privilege escalation
Date: January 21, 2014
Bugs: #459722
ID: 201401-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in sudo which could result in
privilege escalation.
Background
==========
sudo allows a system administrator to give users the ability to run
commands as other users. Access to commands may also be granted on a
range to hosts.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/sudo < 1.8.6_p7 >= 1.8.6_p7
Description
===========
Multiple vulnerabilities have been found in sudo:
* sudo does not correctly validate the controlling terminal on a system
without /proc or when the tty_tickets option is enabled.
* sudo does not properly handle the clock when it is set to the epoch.
Impact
======
A local attacker with sudo privileges could connect to the stdin,
stdout, and stderr of the terminal of a user who has authenticated with
sudo, allowing the attacker to hijack the authorization of the other
user. Additionally, a local or physically proximate attacker could set
the system clock to the epoch, bypassing time restrictions on sudo
authentication.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All sudo users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.6_p7"
References
==========
[ 1 ] CVE-2013-1775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1775
[ 2 ] CVE-2013-1776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1776
[ 3 ] CVE-2013-2776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2776
[ 4 ] CVE-2013-2777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2777
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-23.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -[ GLSA 201401-21 ] Poppler: Multiple vulnerabilities
Gentoo Linux Security Advisory GLSA 201401-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Active Record: SQL injection
Date: January 21, 2014
Bugs: #449826
ID: 201401-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in Active Record could allow a remote attacker to
inject SQL commands.
Background
==========
Active Record is a Ruby gem that allows database entries to be
manipulated as objects.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-ruby/activerecord < 2.3.14-r1 >= 2.3.14-r1
Description
===========
An Active Record method parameter can mistakenly be used as a scope.
Impact
======
A remote attacker could use specially crafted input to execute
arbitrary SQL statements.
Workaround
==========
The vulnerability may be mitigated by converting the input to an
expected value. This is accomplished by changing instances of
'Post.find_by_id(params[:id])' in code using Active Record to
'Post.find_by_id(params[:id].to_s)'
Resolution
==========
All Active Record users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-ruby/activerecord-2.3.14-r1"
References
==========
[ 1 ] CVE-2012-6496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6496
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-22.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -[ GLSA 201401-20 ] Cacti: Multiple vulnerabilities
Gentoo Linux Security Advisory GLSA 201401-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Poppler: Multiple vulnerabilities
Date: January 21, 2014
Bugs: #489720, #496770
ID: 201401-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Poppler, allowing remote
attackers to execute arbitrary code or cause a Denial of Service
condition.
Background
==========
Poppler is a cross-platform PDF rendering library originally based on
Xpdf.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/poppler < 0.24.5 >= 0.24.5
Description
===========
Multiple vulnerabilities have been discovered in Poppler. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted PDF
in an application linked against Poppler, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Poppler users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.24.5"
References
==========
[ 1 ] CVE-2013-4473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4473
[ 2 ] CVE-2013-4474
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4474
[ 3 ] CVE-2013-7296
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7296
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-21.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -[ GLSA 201401-19 ] GMime: Arbitrary code execution
Gentoo Linux Security Advisory GLSA 201401-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Cacti: Multiple vulnerabilities
Date: January 21, 2014
Bugs: #324031, #480196
ID: 201401-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Cacti, allowing attackers
to execute arbitrary code or perform XSS attacks.
Background
==========
Cacti is a complete network graphing solution designed to harness the
power of RRDTool's data storage and graphing functionality.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/cacti < 0.8.8b >= 0.8.8b
Description
===========
Multiple vulnerabilities have been discovered in Cacti. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could execute arbitrary SQL commands via specially
crafted parameters, execute arbitrary shell code or inject malicious
script code.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Cacti users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.8b"
References
==========
[ 1 ] CVE-2010-1644
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1644
[ 2 ] CVE-2010-1645
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1645
[ 3 ] CVE-2010-2092
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2092
[ 4 ] CVE-2010-2543
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2543
[ 5 ] CVE-2010-2544
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2544
[ 6 ] CVE-2010-2545
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2545
[ 7 ] CVE-2013-1434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1434
[ 8 ] CVE-2013-1435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1435
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-20.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -[ GLSA 201401-18 ] OpenSC: Arbitrary code execution
Gentoo Linux Security Advisory GLSA 201401-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: GMime: Arbitrary code execution
Date: January 21, 2014
Bugs: #308051
ID: 201401-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A buffer overflow error in GMime might allow remote attackers to
execute arbitrary code or cause a Denial of Service condition.
Background
==========
GMime is a C/C++ library which may be used for the creation and parsing
of messages using the Multipurpose Internet Mail Extension (MIME).
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/gmime < 2.4.15 >= 2.4.15
*>= 2.4.17
*>= 2.2.26
Description
===========
GMime contains a buffer overflow flaw in the GMIME_UUENCODE_LEN macro
in gmime/gmime-encodings.h.
Impact
======
A context-dependent attacker could possibly execute arbitrary code or
cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
GMime 2.4.x users on the PPC64 architecture should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.4.17"
GMime 2.4.x users on other architectures should upgrade to the latest
version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.4.15"
GMime 2.2.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/gmime-2.2.26"
Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.
References
==========
[ 1 ] CVE-2010-0409
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0409
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -[ GLSA 201401-17 ] PCSC-Lite: Arbitrary code execution
Gentoo Linux Security Advisory GLSA 201401-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: OpenSC: Arbitrary code execution
Date: January 21, 2014
Bugs: #349567
ID: 201401-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple stack-based buffer overflows have been found in OpenSC,
allowing attackers to execute arbitrary code.
Background
==========
OpenSC is a tools and libraries for smart cards.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/opensc < 0.11.13-r2 >= 0.11.13-r2
Description
===========
Multiple stack-based buffer overflow errors have been discovered in
OpenSC.
Impact
======
A physically proximate attacker could possibly execute arbitrary code
using a specially crafted smart card.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All OpenSC users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/opensc-0.11.13-r2"
Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.
References
==========
[ 1 ] CVE-2010-4523
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4523
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-18.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -[ GLSA 201401-16 ] CCID: Arbitrary code execution
Gentoo Linux Security Advisory GLSA 201401-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: PCSC-Lite: Arbitrary code execution
Date: January 21, 2014
Bugs: #349561
ID: 201401-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in PCSC-Lite could result in execution of arbitrary
code or Denial of Service.
Background
==========
PCSC-Lite is a PC/SC Architecture smartcard middleware library.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/pcsc-lite < 1.6.6 >= 1.6.6
Description
===========
PCSC-Lite contains a stack-based buffer overflow in the ATRDecodeAtr
function in the
Answer-to-Reset Handler (atrhandler.c).
Impact
======
A physically proximate attacker could execute arbitrary code or cause a
Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All PCSC-Lite users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/pcsc-lite-1.6.6"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since January 10, 2011. It is likely that your system is
already no longer affected by this issue.
References
==========
[ 1 ] CVE-2010-4531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4531
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-17.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: CCID: Arbitrary code execution
Date: January 21, 2014
Bugs: #349559
ID: 201401-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in CCID could result in execution of arbitrary code.
Background
==========
CCID is a generic USB Chip/Smart Card Interface Devices driver.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-crypt/ccid < 1.4.1-r1 >= 1.4.1-r1
Description
===========
CCID contains an integer overflow vulnerability in ccid_serial.c.
Impact
======
A physically proximate attacker could execute arbitrary code via a
smart card with a specially crafted
serial number.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All CCID users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/ccid-1.4.1-r1"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since January 21, 2011. It is likely that your system is
already no longer affected by this issue.
References
==========
[ 1 ] CVE-2010-4530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4530
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-16.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
