Gentoo FoundationGLSA-200605-14libextractor: Two heap-based buffer overflows
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
0.241 Low
EPSS
Percentile
96.6%
Background
libextractor is a library used to extract metadata from arbitrary files.
Description
Luigi Auriemma has found two heap-based buffer overflows in libextractor 0.5.13 and earlier: one of them occurs in the asf_read_header function in the ASF plugin, and the other occurs in the parse_trak_atom function in the Qt plugin.
Impact
By enticing a user to open a malformed file using an application that employs libextractor and its ASF or Qt plugins, an attacker could execute arbitrary code in the context of the application running the affected library.
Workaround
There is no known workaround at this time.
Resolution
All libextractor users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libextractor-0.5.14"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | media-libs/libextractor | < 0.5.14 | UNKNOWN |
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
0.241 Low
EPSS
Percentile
96.6%