[VIM] Vendor ACK and version corrections for gxine (CAN-2005-1692)

Steven M. Christey coley at mitre.org
Thu May 26 13:06:33 EDT 2005


CVE was just informed by Darren Salt, a gxine developer, that the
affected versions in the gxine format string issue (CAN-2005-1692) are
0.4.1 through 0.4.4, and *not* "0.41 through 0.44" as originally
disclosed by the researcher.

In addition, the changelog makes it clear that there is vendor
acknowledgement:

  http://cvs.sourceforge.net/viewcvs.py/xine/gnome-xine/ChangeLog?rev=HEAD&content-type=text/vnd.viewcvs-markup

An item for 0.4.5 says "SECURITY FIX (pst.advisory 2005-21)
Remotely-exploitable missing-format-string vulnerability in some
message dialogue boxes."


- Steve


======================================================
Candidate: CAN-2005-1692
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1692
Reference: BUGTRAQ:20050521 pst.advisory 2005-21: gxine remote exploitable . opensource is god .lol windows
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111670637812128&w=2
Reference: BID:13707
Reference: URL:http://www.securityfocus.com/bid/13707
Reference: SECUNIA:15451
Reference: URL:http://secunia.com/advisories/15451

Format string vulnerability in gxine 0.4.1 through 0.4.4 allows remote
attackers to execute arbitrary code via a ram file with a URL whose
hostname contains format string specifiers.




More information about the VIM mailing list