[CentOS] libgme drive-by exploit.

Lamar Owen lowen at pari.edu
Fri Dec 16 19:29:57 UTC 2016


On 12/16/2016 02:12 PM, Lamar Owen wrote:
> An interesting exploit:
> packages have it.... lessee.... nope, didn't find the 'Game Music Emu' 
> (gstreamer-plugins-bad-extras contains this in Fedora 25) anywhere, 
> but I reserve the right to be wrong.
>
And five minutes later:
[lowen at dhcp-pool170 ~]$ yum list|grep game-music-emu
game-music-emu.x86_64                    0.6.0-5.el7 @epel
game-music-emu-debuginfo.x86_64          0.6.0-3.el7.nux nux-dextop
game-music-emu-devel.x86_64              0.6.0-5.el7 epel
game-music-emu-player.x86_64             0.6.0-5.el7 epel
[lowen at dhcp-pool170 ~]$ rpm -ql game-music-emu
/usr/lib64/libgme.so.0
/usr/lib64/libgme.so.0.6.0
/usr/share/doc/game-music-emu-0.6.0
/usr/share/doc/game-music-emu-0.6.0/changes.txt
/usr/share/doc/game-music-emu-0.6.0/license.txt
/usr/share/doc/game-music-emu-0.6.0/readme.txt
[lowen at dhcp-pool170 ~]$

Yep, I was wrong: it is available (package name in the article was 
wrong) but not installed by default (is in EPEL).  So might be 
vulnerable, might need to test on a burner machine.




More information about the CentOS mailing list