Advisories » MGASA-2015-0176

Updated directfb packages fix security vulnerabilities

Publication date: 03 May 2015
Modification date: 03 May 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-2977 , CVE-2014-2978

Description

Updated directfb packages fix security vulnerabilities:

Multiple integer signedness errors in the Dispatch_Write function in
proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB allow remote
attackers to cause a denial of service (crash) and possibly execute arbitrary
code via the Voodoo interface, which triggers a stack-based buffer overflow
(CVE-2014-2977).

The Dispatch_Write function in proxy/dispatcher/idirectfbsurface_dispatcher.c
in DirectFB allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code via the Voodoo interface, which triggers an
out-of-bounds write (CVE-2014-2978).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=13391
• http://lists.opensuse.org/opensuse-updates/2015-04/msg00060.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2977
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2978

SRPMS

4/core

• directfb-1.7.0-2.1.mga4