7.5 - RHSA-2005:304

Executive Summary

Summary
Title	grip security update

Informations
Name	RHSA-2005:304	First vendor Publication	2005-03-28
Vendor	RedHat	Last vendor Modification	2005-03-28
Severity (Vendor)	Moderate	Revision	01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

A new grip package is available that fixes a remote buffer overflow.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386

3. Problem description:

Grip is a GTK+ based front-end for CD rippers (such as cdparanoia and cdda2wav) and Ogg Vorbis encoders.

Dean Brettle discovered a buffer overflow bug in the way grip handles data returned by CDDB servers. It is possible that if a user connects to a malicious CDDB server, an attacker could execute arbitrary code on the victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0706 to this issue.

Users of grip should upgrade to this updated package, which contains a backported patch, and is not vulnerable to this issue.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

150712 - CAN-2005-0706 Buffer overflow in grip

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2005-304.html

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10768

Oval ID:	oval:org.mitre.oval:def:10768
Title:	Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the cddb lookup to return more matches than expected.
Description:	Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the cddb lookup to return more matches than expected.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2005-0706	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section gnome-vfs2-devel is earlier than 0:2.2.5-2E.3.3 AND gnome-vfs2 is earlier than 0:2.2.5-2E.3.3 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section gnome-vfs2-smb is earlier than 0:2.8.2-8.7.el4_7.2 AND gnome-vfs2-devel is earlier than 0:2.8.2-8.7.el4_7.2 AND gnome-vfs2 is earlier than 0:2.8.2-8.7.el4_7.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Grip cpe:2.3:a:grip:grip:3.2.0:::::::* cpe:2.3:a:grip:grip:3.1.4:::::::* cpe:2.3:a:grip:grip:3.1.2:::::::* cpe:2.3:a:grip:grip:2.9.6:::::::*	4

OpenVAS Exploits

Date	Description
2011-08-09	Name : CentOS Update for gnome-vfs CESA-2009:0005-01 centos2 i386 File : nvt/gb_CESA-2009_0005-01_gnome-vfs_centos2_i386.nasl
2011-08-09	Name : CentOS Update for gnome-vfs2 CESA-2009:0005 centos3 i386 File : nvt/gb_CESA-2009_0005_gnome-vfs2_centos3_i386.nasl
2011-08-09	Name : CentOS Update for gnome-vfs2 CESA-2009:0005 centos4 i386 File : nvt/gb_CESA-2009_0005_gnome-vfs2_centos4_i386.nasl
2009-12-10	Name : Mandriva Security Advisory MDVSA-2008:233-1 (libcdaudio) File : nvt/mdksa_2008_233_1.nasl
2009-10-10	Name : SLES9: Security update for gnome-vfs File : nvt/sles9p5014621.nasl
2009-10-10	Name : SLES9: Security update for gnome-vfs2,gnome-vfs2-doc File : nvt/sles9p5014116.nasl
2009-04-09	Name : Mandriva Update for libcdaudio MDVSA-2008:233 (libcdaudio) File : nvt/gb_mandriva_MDVSA_2008_233.nasl
2009-02-17	Name : Fedora Update for grip FEDORA-2008-9521 File : nvt/gb_fedora_2008_9521_grip_fc8.nasl
2009-02-17	Name : Fedora Update for grip FEDORA-2008-9604 File : nvt/gb_fedora_2008_9604_grip_fc9.nasl
2009-02-16	Name : Fedora Update for grip FEDORA-2008-10126 File : nvt/gb_fedora_2008_10126_grip_fc10.nasl
2009-02-13	Name : Fedora Core 9 FEDORA-2008-11956 (libcdaudio) File : nvt/fcore_2008_11956.nasl
2009-02-10	Name : CentOS Security Advisory CESA-2009:0005-01 (gnome-vfs) File : nvt/ovcesa2009_0005_01.nasl
2009-02-10	Name : Fedora Core 10 FEDORA-2008-11848 (libcdaudio) File : nvt/fcore_2008_11848.nasl
2009-01-13	Name : FreeBSD Ports: libcdaudio File : nvt/freebsd_libcdaudio.nasl
2009-01-13	Name : CentOS Security Advisory CESA-2009:0005 (gnome-vfs2) File : nvt/ovcesa2009_0005.nasl
2009-01-07	Name : RedHat Security Advisory RHSA-2009:0005 File : nvt/RHSA_2009_0005.nasl
2008-09-24	Name : Gentoo Security Advisory GLSA 200503-21 (grip) File : nvt/glsa_200503_21.nasl
2008-09-24	Name : Gentoo Security Advisory GLSA 200504-07 (GnomeVFS) File : nvt/glsa_200504_07.nasl
2008-09-04	Name : FreeBSD Ports: grip File : nvt/freebsd_grip.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
14643	grip CDDB Multiple Matches Overflow

Nessus® Vulnerability Scanner

Date	Description
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-0005.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090107_gnome_vfs2_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_10010.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_10009.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Fedora host is missing a security update. File : fedora_2008-10126.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-233.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Fedora host is missing a security update. File : fedora_2008-11848.nasl - Type : ACT_GATHER_INFO
2009-02-05	Name : The remote Fedora host is missing a security update. File : fedora_2008-11956.nasl - Type : ACT_GATHER_INFO
2009-01-12	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_bd730827dfe011dda7650030843d3802.nasl - Type : ACT_GATHER_INFO
2009-01-08	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-0005.nasl - Type : ACT_GATHER_INFO
2009-01-07	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0005.nasl - Type : ACT_GATHER_INFO
2008-11-21	Name : The remote Fedora host is missing a security update. File : fedora_2008-9604.nasl - Type : ACT_GATHER_INFO
2008-11-21	Name : The remote Fedora host is missing a security update. File : fedora_2008-9521.nasl - Type : ACT_GATHER_INFO
2005-07-13	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_bcf2700294c311d9a9e00001020eed82.nasl - Type : ACT_GATHER_INFO
2005-04-21	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-074.nasl - Type : ACT_GATHER_INFO
2005-04-21	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-075.nasl - Type : ACT_GATHER_INFO
2005-04-08	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200504-07.nasl - Type : ACT_GATHER_INFO
2005-04-02	Name : The remote Mandrake Linux host is missing a security update. File : mandrake_MDKSA-2005-066.nasl - Type : ACT_GATHER_INFO
2005-03-29	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2005-304.nasl - Type : ACT_GATHER_INFO
2005-03-17	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200503-21.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:49:11	Multiple Updates

Global Informations

Type	Count
Oval ID(s)	1
CPE ID(s)	4
osvdb(s)	1
Openvas Exploit(s)	19
Nessus® Exploit(s)	20

	Related
7.5	CVE-2005-0706
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)

7.5 - RHSA-2005:304

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU