Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Security Vulnerability: CVE-2006-3668 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200370 j.w.r.degoede(a)hhs.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Severity|normal |high Priority|normal |high CC| |fedora-security- | |list(a)redhat.com ------- Additional Comments From j.w.r.degoede(a)hhs.nl 2006-07-27 03:47 EST ------- Woops, hit enter too soon. Ah well. This is mainly a tracker bug, since I (the reporter) am also the maintainer. The subject says most, a security vulnerability in dumb has been found and catagories as CVE-2006-3668. Description from CVE: Heap-based buffer overflow in the it_read_envelope function in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and earlier, and current CVS as of 20060716, allows user-complicit attackers to execute arbitrary code via a ".it" (Impulse Tracker) file with an enveloper with a large number of nodes. Description from DSA: Luigi Auriemma discovered that DUMB, a tracker music library, performs insufficient sanitising of values parsed from IT music files, which might lead to a buffer overflow and execution of arbitrary code if manipulated files are read. Debian has a fix, I'm currently test building a new version with this fix. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.