[CVE-2014-2977] DirectFB integer signedness vulnerability

Posted on Thu 15 May 2014 in Advisory

Summary

DirectFB is prone to an integer signedness vulnerability since version 1.4.13.

The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB).

Details

This integer coercion error may lead to a stack overflow.

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete

Disclosure Timeline

  • 2014-03-27 Developer notified
  • 2014-04-21 CVE-2014-2977 assigned
  • 2014-05-16 Public advisory

References

  • http://www.directfb.org/
  • http://mail.directfb.org/pipermail/directfb-dev/2014-March/006805.html

vulnerability advisory