Gentoo FoundationGLSA-200411-14Kaffeine, gxine: Remotely exploitable buffer overflow
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.055 Low
EPSS
Percentile
93.3%
Background
Kaffeine and gxine are graphical front-ends for xine-lib multimedia library.
Description
KF of Secure Network Operations has discovered an overflow that occurs during the Content-Type header processing of Kaffeine. The vulnerable code in Kaffeine is reused from gxine, making gxine vulnerable as well.
Impact
An attacker could create a specially-crafted Content-type header from a malicious HTTP server, and crash a user’s instance of Kaffeine or gxine, potentially allowing the execution of arbitrary code.
Workaround
There is no known workaround at this time.
Resolution
All Kaffeine users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/kaffeine-0.4.3b-r1"
All gxine users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/gxine-0.3.3-r1"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | media-video/kaffeine | < 0.5_rc1-r1 | UNKNOWN |
| Gentoo | any | all | media-video/gxine | < 0.3.3-r1 | UNKNOWN |
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.055 Low
EPSS
Percentile
93.3%