|Title||New barnowl packages fix arbitrary code execution|
|Name||DSA-2102||First vendor Publication||2010-09-03|
|Vendor||Debian||Last vendor Modification||2010-09-03|
Security-Database Scoring CVSS v2
|Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)|
|Cvss Base Score||7.5||Attack Range||Network|
|Cvss Impact Score||6.4||Attack Complexity||Low|
|Cvss Expoit Score||10||Authentication||None Required|
|Calculate full CVSS 2.0 Vectors scores|
It has been discovered that in barnowl, a curses-based instant-messaging client, the return codes of calls to the ZPending and ZReceiveNotice functions in libzephyr were not checked, allowing attackers to cause a denial of service (crash of the application), and possibly execute arbitrary code.
For the stable distribution (lenny), this problem has been fixed in version 1.0.1-4+lenny2.
For the testing distribution (squeeze), this problem has been fixed in version 1.6.2-1.
For the unstable distribution (sid), this problem has been fixed in version 1.6.2-1.
We recommend that you upgrade your barnowl packages.
|Url : http://www.debian.org/security/2010/dsa-2102|
CWE : Common Weakness Enumeration
|CWE-20||Improper Input Validation|
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
|66887||BarnOwl libzephyr Multiple Function Return Code Check Weakness Remote DoS|