Thursday, May 15, 2014

[CVE-2014-2977] DirectFB integer signedness vulnerability

[CVE-2014-2977] DirectFB integer signedness vulnerability
________________________________________________________________________ Summary: DirectFB is prone to an integer signedness vulnerability since
version 1.4.13.

The vulnerability can be triggered remotely without authentication
through Voodoo interface (network layer of DirectFB).
________________________________________________________________________ Details: This integer coercion error may lead to a stack overflow.
________________________________________________________________________ CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete ________________________________________________________________________ Disclosure Timeline: 2014-03-27 Developer notified 2014-04-21 CVE-2014-2977 assigned 2014-05-16 Public advisory ________________________________________________________________________ References: http://www.directfb.org/
http://mail.directfb.org/pipermail/directfb-dev/2014-March/006805.html ________________________________________________________________________ Frédéric Basse

No comments:

Post a Comment