blob: 23b864e2efe1aa87fdb7159f1af24f98e63695b2 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200501-11">
<title>Dillo: Format string vulnerability</title>
Dillo is vulnerable to a format string bug, which may result in the
execution of arbitrary code.
<product type="ebuild">Dillo</product>
<announced>January 09, 2005</announced>
<revised>January 09, 2005: 01</revised>
<package name="www-client/dillo" auto="yes" arch="*">
<unaffected range="ge">0.8.3-r4</unaffected>
<vulnerable range="lt">0.8.3-r4</vulnerable>
Dillo is a small and fast multi-platform web browser based on
Gentoo Linux developer Tavis Ormandy found a format string bug in
Dillo's handling of messages in a_Interface_msg().
<impact type="normal">
An attacker could craft a malicious web page which, when accessed
using Dillo, would trigger the format string vulnerability and
potentially execute arbitrary code with the rights of the user running
There is no known workaround at this time.
All Dillo users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=www-client/dillo-0.8.3-r4&quot;</code>
<uri link="">CAN-2005-0012</uri>
<metadata tag="requester" timestamp="Fri, 7 Jan 2005 15:41:51 +0000">
<metadata tag="bugReady" timestamp="Sun, 9 Jan 2005 17:56:03 +0000">
<metadata tag="submitter" timestamp="Sun, 9 Jan 2005 18:39:04 +0000">