Fedora Extras dump-package security update (CVE-2006-3668)

Hans de Goede j.w.r.degoede at hhs.nl
Mon Jul 31 19:26:12 UTC 2006

Fedora Update Notification
Product:    Fedora Extras [5 devel]
Name:       dumb
Version:    0.9.3
Release:    4
Summary:    IT, XM, S3M and MOD player library
IT, XM, S3M and MOD player library. Mainly targeted for use with the
allegro game programming library, but it can be used without allegro.
Faithful to the original trackers, especially IT.
Update Information:

CVE ID: CVE-2006-3668

Luigi Auriemma discovered that DUMB, a tracker music library, performs
insufficient sanitising of values parsed from IT music files. This could
result in a heap-based buffer overflow in the it_read_envelope function
in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and earlier and
current CVS as of 20060716, including libdumb, allows user-complicit
attackers to execute arbitrary code via a ".it" (Impulse Tracker) file
with an envelope with a large number of nodes.

Fedora Extras versions 0.9.3-3 and earlier are vulnerable to this
upgrade to 0.9.3-4 to fix this vulnerability.
This update can be installed with the 'yum' update program.  Use 'yum
update package-name' at the command line.  For more information, refer
to 'Managing Software with yum,' available at

More information about the package-announce mailing list