SB2011112001 - Gentoo update for abcm2ps

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2010-3441)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple buffer overflows in abcm2ps before 5.9.12 might allow remote attackers to execute arbitrary code via (1) a crafted input file, related to the PUT0 and PUT1 output macros; (2) a crafted input file, related to the trim_title function; and possibly (3) a long -O option on a command line.

2) Heap-based buffer overflow (CVE-ID: CVE-2010-4743)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing data within the getarena function in abc2ps.c in abcm2ps before 5.9.13 might allow remote attackers to execute arbitrary code via a crafted ABC file. A remote attacker can pass a specially crafted file to the affected application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Input validation error (CVE-ID: CVE-2010-4744)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Multiple unspecified vulnerabilities in abcm2ps before 5.9.13 have unknown impact and attack vectors, a different issue than CVE-2010-3441.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/201111-12