Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title lib3ds: User-assisted execution of arbitrary code
Informations
Name GLSA-201405-23 First vendor Publication 2014-05-18
Vendor Gentoo Last vendor Modification 2014-05-18
Severity (Vendor) Normal Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A vulnerability in lib3ds might allow a remote attacker to execute arbitrary code.

Background

lib3ds is a library for managing 3D-Studio Release 3 and 4 .3DS files.

Description

An array index error has been discovered in lib3ds.

Impact

A remote attacker could entice a user to open a specially crafted 3DS file using an application linked against lib3ds, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All lib3ds users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/lib3ds-2.0.0_rc1"

Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages.

References

[ 1 ] CVE-2010-0280
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0280

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201405-23.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201405-23.xml

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-189 Numeric Errors (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 4
Application 1

OpenVAS Exploits

Date Description
2010-12-02 Name : Fedora Update for lib3ds FEDORA-2010-14730
File : nvt/gb_fedora_2010_14730_lib3ds_fc14.nasl
2010-11-23 Name : Fedora Update for mingw32-OpenSceneGraph FEDORA-2010-17621
File : nvt/gb_fedora_2010_17621_mingw32-OpenSceneGraph_fc13.nasl
2010-10-01 Name : Fedora Update for lib3ds FEDORA-2010-14632
File : nvt/gb_fedora_2010_14632_lib3ds_fc12.nasl
2010-10-01 Name : Fedora Update for lib3ds FEDORA-2010-14644
File : nvt/gb_fedora_2010_14644_lib3ds_fc13.nasl
2010-01-20 Name : Google SketchUp Multiple Vulnerabilities (Windows)
File : nvt/gb_google_sketchup_mult_vuln_jan10_win.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
61685 lib3ds lib3ds/mesh.c face_array_read() Function 3DS File Handling Memory Corr...

Nessus® Vulnerability Scanner

Date Description
2014-05-19 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201405-23.nasl - Type : ACT_GATHER_INFO
2011-11-30 Name : The remote host has a 3-D modeling application that is affected by two remote...
File : google_sketchup_7_1_m2.nasl - Type : ACT_GATHER_INFO
2010-11-22 Name : The remote Fedora host is missing a security update.
File : fedora_2010-17621.nasl - Type : ACT_GATHER_INFO
2010-09-27 Name : The remote Fedora host is missing a security update.
File : fedora_2010-14632.nasl - Type : ACT_GATHER_INFO
2010-09-27 Name : The remote Fedora host is missing a security update.
File : fedora_2010-14644.nasl - Type : ACT_GATHER_INFO
2010-09-24 Name : The remote Fedora host is missing a security update.
File : fedora_2010-14730.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-05-20 13:23:31
  • Multiple Updates
2014-05-18 21:21:18
  • First insertion