USN-407-1

Executive Summary

Summary
Title	libgtop2 vulnerability

Informations
Name	USN-407-1	First vendor Publication	2007-01-15
Vendor	Ubuntu	Last vendor Modification	2007-01-15
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:H/Au:N/C:P/I:P/A:P)
Cvss Base Score	3.7	Attack Range	Local
Cvss Impact Score	6.4	Attack Complexity	High
Cvss Expoit Score	1.9	Authentification	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
libgtop2-5 2.12.0-0ubuntu1.1

Ubuntu 6.06 LTS:
libgtop2-7 2.14.1-0ubuntu1.1

Ubuntu 6.10:
libgtop2-7 2.14.4-0ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Liu Qishuai discovered a buffer overflow in the /proc parsing routines
in libgtop. By creating and running a process in a specially crafted
long path and tricking an user into running gnome-system-monitor, an
attacker could exploit this to execute arbitrary code with the user's
privileges.

Original Source

Url : http://www.ubuntu.com/usn/USN-407-1

CWE : Common Weakness Enumeration

id	Name
CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10720

Oval ID:	oval:org.mitre.oval:def:10720
Title:	Stack-based buffer overflow in the glibtop_get_proc_map_s function in libgtop before 2.14.6 (libgtop2) allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a process with a long filename that is mapped in its address space, which triggers the overflow in gnome-system-monitor.
Description:	Stack-based buffer overflow in the glibtop_get_proc_map_s function in libgtop before 2.14.6 (libgtop2) allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a process with a long filename that is mapped in its address space, which triggers the overflow in gnome-system-monitor.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-0235	Version:	5
Platform(s):	Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4	Product(s):
Definition Synopsis:
RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section libgtop2 is earlier than 0:2.8.0-1.0.2 AND libgtop2-devel is earlier than 0:2.8.0-1.0.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Libgtop Libgtop cpe:/a:libgtop:libgtop:2.14.5	1

Open Source Vulnerability Database (OSVDB)

id	Description
32815	libgtop2 glibtop_get_proc_map_s() Function Filename Overflow

Type	Count
Oval ID(s)	1
CPE ID(s)	1
osvdb(s)	1

Related	Severity
CVE-2007-0235	(Low)

Same Subject	Severity
Login to view 2 more Alert(s)

USN-407-1

Executive Summary

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Open Source Vulnerability Database (OSVDB)

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU