Home / mailings Gentoo-announce
Posted on 16 April 2007
Gentoo-announceThis is an OpenPGP/MIME signed message (RFC 2440 and 3156)--------------enigFE58458D2B822C65696AC9E0Content-Type: text/plain; charset=ISO-8859-15Content-Transfer-Encoding: quoted-printable- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory GLSA 200704-10- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Inkscape: Two format string vulnerabilities Date: April 16, 2007 Bugs: #171799 ID: 200704-10- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis========Two format string vulnerabilities have been discovered in Inkscape,allowing for user-assisted execution of arbitrary code.Background==========Inkscape is a vector graphics editor, using Scalable Vector Graphics(SVG) Format.Affected packages================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-gfx/inkscape < 0.45.1 >= 0.45.1Description===========Kees Cook has discovered two vulnerabilities in Inkscape. Theapplication does not properly handle format string specifiers in somedialog boxes. Inkscape is also vulnerable to another format stringerror in its Jabber whiteboard protocol.Impact======A remote attacker could entice a user to open a specially crafted URI,possibly leading to execution of arbitrary code with the privileges ofthe user running Inkscape.Workaround==========There is no known workaround at this time.Resolution==========All Inkscape users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/inkscape-0.45.1"References========== [ 1 ] CVE-2007-1463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1463 [ 2 ] CVE-2007-1464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1464Availability============This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-10.xmlConcerns?=========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttp://bugs.gentoo.org.License=======Copyright 2007 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.http://creativecommons.org/licenses/by-sa/2.5--------------enigFE58458D2B822C65696AC9E0Content-Type: application/pgp-signature; name="signature.asc"Content-Description: OpenPGP digital signatureContent-Disposition: attachment; filename="signature.asc"