Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/glsa-200404-19.xml
blob: b6e4b43db64b8136eda4a1b0053b7cebb7bc03bd (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="200404-19">
  <title>Buffer overflows and format string vulnerabilities in LCDproc</title>
  <synopsis>
    Multiple remote vulnerabilities have been found in the LCDd server,
    allowing execution of arbitrary code with the rights of the LCDd user.
  </synopsis>
  <product type="ebuild">lcdproc</product>
  <announced>2004-04-27</announced>
  <revised count="01">2004-04-27</revised>
  <bug>47340</bug>
  <access>remote </access>
  <affected>
    <package name="app-misc/lcdproc" auto="yes" arch="*">
      <unaffected range="ge">0.4.5</unaffected>
      <vulnerable range="le">0.4.4-r1</vulnerable>
    </package>
  </affected>
  <background>
    <p>
    LCDproc is a program that displays various bits of real-time system
    information on an LCD. It makes use of a local server (LCDd) to collect
    information to display on the LCD.
    </p>
  </background>
  <description>
    <p>
    Due to insufficient checking of client-supplied data, the LCDd server is
    susceptible to two buffer overflows and one string buffer vulnerability. If
    the server is configured to listen on all network interfaces (see the Bind
    parameter in LCDproc configuration), these vulnerabilities can be triggered
    remotely.
    </p>
  </description>
  <impact type="normal">
    <p>
    These vulnerabilities allow an attacker to execute code with the rights of
    the user running the LCDproc server. By default, this is the "nobody" user.
    </p>
  </impact>
  <workaround>
    <p>
    A workaround is not currently known for this issue. All users are advised
    to upgrade to the latest version of the affected package.
    </p>
  </workaround>
  <resolution>
    <p>
    LCDproc users should upgrade to version 0.4.5 or later:
    </p>
    <code>
    # emerge sync

    # emerge -pv "&gt;=app-misc/lcdproc-0.4.5"
    # emerge "&gt;=app-misc/lcdproc-0.4.5"</code>
  </resolution>
  <references>
    <uri link="http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html">LCDproc advisory</uri>
  </references>
  <metadata tag="submitter">
    koon
  </metadata>
</glsa>