Lucene search

Gentoo FoundationGLSA-200503-09

HistoryMar 04, 2005 - 12:00 a.m.

xv: Filename handling vulnerability

2005-03-0400:00:00

Gentoo Foundation

security.gentoo.org

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

EPSS

0.005

Percentile

76.2%

JSON

Background

xv is an interactive image manipulation package for X11.

Description

Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw in the handling of image filenames by xv.

Impact

Successful exploitation would require a victim to process a specially crafted image with a malformed filename, potentially resulting in the execution of arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All xv users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=media-gfx/xv-3.10a-r10"

OSVersionArchitecturePackageVersionFilename
Gentooanyallmedia-gfx/xv< 3.10a-r10UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	media-gfx/xv	< 3.10a-r10	UNKNOWN

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

EPSS

0.005

Percentile

76.2%

JSON

Related for GLSA-200503-09