--------------------------------------------------------------------- Fedora Update Notification FEDORA-EXTRAS-2006-003 --------------------------------------------------------------------- Product: Fedora Extras [5 devel] Name: dumb Version: 0.9.3 Release: 4 Summary: IT, XM, S3M and MOD player library Description: IT, XM, S3M and MOD player library. Mainly targeted for use with the allegro game programming library, but it can be used without allegro. Faithful to the original trackers, especially IT. --------------------------------------------------------------------- Update Information:

CVE ID: CVE-2006-3668

Luigi Auriemma discovered that DUMB, a tracker music library, performs insufficient sanitising of values parsed from IT music files. This could result in a heap-based buffer overflow in the it_read_envelope function in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and earlier and current CVS as of 20060716, including libdumb, allows user-complicit attackers to execute arbitrary code via a ".it" (Impulse Tracker) file with an envelope with a large number of nodes.

Fedora Extras versions 0.9.3-3 and earlier are vulnerable to this upgrade to 0.9.3-4 to fix this vulnerability. --------------------------------------------------------------------- This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at http://fedora.redhat.com/docs/yum/