[Pkg-allegro-maintainers] Bug#379064: dumb: CVE-2006-3668:
arbitrary code execution
alec at thened.net
Thu Jul 20 22:26:59 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2006-3668: "Heap-based buffer overflow in the it_read_envelope
function in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and
earlier, and current CVS as of 20060716, allows user-complicit attackers
to execute arbitrary code via a ".it" (Impulse Tracker) file with an
enveloper with a large number of nodes."
There is a proof-of-concept expoit  in the original advisory . I
have not verified the issue. Sarge is probably vulnerable. I do not
see an upstream patch, but the original advisory suggests that the issue
will be fixed in the next version.
Please mention the CVE in your changelog.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Pkg-allegro-maintainers