[CentOS] libgme drive-by exploit.

Fri Dec 16 19:38:45 UTC 2016
Lamar Owen <lowen at pari.edu>

On 12/16/2016 02:32 PM, Frank Cox wrote:
> rpm -q --whatprovides /usr/lib64/libgme.so.0
> game-music-emu-0.6.0-5.el7.x86_64
>
Like I said, I always reserve the right to be wrong.  Debian has issued 
an update with a list of CVE's that are so new that they're not on mitre 
yet.  Debian DSA-3735-1:
https://security-tracker.debian.org/tracker/DSA-3735-1

This will be an EPEL update and not a CentOS one, as CentOS from media 
with no third-party repos does not have the affected library libgme.  
But a heads-up nonetheless, and a really good read if you are into how 
something like this (where this is Super NES audio chip (SPC700) 
assembly code) can cause a modern Linux distribution to be compromised.  
Silently, and in a drive-by-download fully automatic manner.