xdelta: User-assisted execution of arbitrary code — GLSA 201701-40

A buffer overflow in xdelta might allow remote attackers to execute arbitrary code.

Affected packages

dev-util/xdelta on all architectures
Affected versions < 3.0.10
Unaffected versions >= 3.0.10

Background

Xdelta is a C library and command-line tool for delta compression using VCDIFF/RFC 3284 streams.

Description

A buffer overflow can be triggered within xdelta when ran against a malicious input file.

Impact

A remote attacker could coerce the victim to run xdelta against a malicious input file. This may be leveraged by an attacker to crash xdelta and gain control of program execution.

Workaround

There is no known workaround at this time.

Resolution

All xdelta users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-util/xdelta-3.0.10"
 

References

Release date
January 17, 2017

Latest revision
January 17, 2017: 01

Severity
normal

Exploitable
remote

Bugzilla entries