xzgv: Multiple overflows — GLSA 200501-09

xzgv contains multiple overflows that may lead to the execution of arbitrary code.

Affected packages

Package 	media-gfx/xzgv on all architectures
Affected versions 	<= 0.8
Unaffected versions 	>= 0.8-r1

Background

xzgv is a picture viewer for X, with a thumbnail-based file selector.

Description

Multiple overflows have been found in the image processing code of xzgv, including an integer overflow in the PRF parsing code (CAN-2004-0994).

Impact

An attacker could entice a user to open or browse a specially-crafted image file, potentially resulting in the execution of arbitrary code with the rights of the user running xzgv.

Workaround

There is no known workaround at this time.

Resolution

All xzgv users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/xzgv-0.8-r1"

References

    CAN-2004-0994
    iDEFENSE Advisory