Package: cheesetracker Version: 0.9.9-1 0.9.9-5 Severity: serious Tags: security
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2006-3814: "Buffer overflow in the Loader_XM::load_instrument_internal function in loader_xm.cpp for Cheese Tracker 0.9.9 and earlier allows user-assisted attackers to execute arbitrary code via a crafted file with a large amount of extra data." I have confirmed this issue with both sarge's and sid's version of cheesetracker. A sample exploit [1] was included in the original report [2]. I do not believe a patch is available. Please mention the CVE in your changelog. Thanks, Alec [1] http://aluigi.org/poc/cheesebof.zip [2] http://aluigi.altervista.org/adv/cheesebof-adv.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEy3ZVAud/2YgchcQRAjF1AKCaNDkUWiMgYlaqUSkjGzRsk0AMpgCeIKbH KCBHGaofbXVoBpn1Im/qToc= =4fQX -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
