[CVE-2014-2977] DirectFB integer signedness vulnerability
Posted on Thu 15 May 2014 in Advisory
Summary
DirectFB is prone to an integer signedness vulnerability since version 1.4.13.
The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB).
Details
This integer coercion error may lead to a stack overflow.CVSS Version 2 Metrics
- Access Vector: Network exploitable
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
Disclosure Timeline
- 2014-03-27 Developer notified
- 2014-04-21 CVE-2014-2977 assigned
- 2014-05-16 Public advisory
References
- http://www.directfb.org/
- http://mail.directfb.org/pipermail/directfb-dev/2014-March/006805.html