|
|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200409-28] GTK+ 2, gdk-pixbuf: Multiple image decoding vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
GTK+ 2, gdk-pixbuf: Multiple image decoding vulnerabilities
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200409-28
(GTK+ 2, gdk-pixbuf: Multiple image decoding vulnerabilities)
A vulnerability has been discovered in the BMP image preprocessor
(CVE-2004-0753). Furthermore, Chris Evans found a possible integer overflow
in the pixbuf_create_from_xpm() function, resulting in a heap overflow
(CVE-2004-0782). He also found a potential stack-based buffer overflow in
the xpm_extract_color() function (CVE-2004-0783). A possible integer
overflow has also been found in the ICO decoder.
Impact
With a specially crafted BMP image a possible hacker could cause an affected
application to enter an infinite loop when that image is being processed.
Also, by making use of specially crafted XPM or ICO images a possible hacker
could trigger the overflows, which potentially allows the execution of
arbitrary code.
Workaround
There is no known workaround at this time.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0788
http://bugzilla.gnome.org/show_bug.cgi?id=150601
Solution:
All GTK+ 2 users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=x11-libs/gtk+-2.4.9-r1"
# emerge ">=x11-libs/gtk+-2.4.9-r1"
All GdkPixbuf users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=media-libs/gdk-pixbuf-0.22.0-r3"
# emerge ">=media-libs/gdk-pixbuf-0.22.0-r3"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|
