CVE-2004-0994
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:50:32
NMCOPS    

[原文]Multiple integer overflows in xzgv 0.8 and earlier allow remote attackers to execute arbitrary code via images with large width and height values, which trigger a heap-based buffer overflow, as demonstrated in the read_prf_file function in readprf.c. NOTE: CVE-2004-0994 and CVE-2004-1095 identify sets of bugs that only partially overlap, despite having the same developer. Therefore, they should be regarded as distinct.


[CNNVD]xzgv 多个 整数溢出漏洞(CNNVD-200501-192)

        xzgv是一款开源的X界面下的图片浏览器软件。
        Xzgv 0.8版本中存在多个整数溢出漏洞。
        远程攻击者可通过包含超大的width/height值图片文件,触发溢出。如read_prf_file功能模块中readprf.c就可以被攻击者利用,从而可能执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:debian:debian_linux:3.0::ia-32
cpe:/o:debian:debian_linux:3.0::ppc
cpe:/o:debian:debian_linux:3.0::arm
cpe:/o:debian:debian_linux:3.0::mipsel
cpe:/o:debian:debian_linux:3.0::hppa
cpe:/o:debian:debian_linux:3.0::ia-64
cpe:/o:debian:debian_linux:3.0::mips
cpe:/o:debian:debian_linux:3.0::alpha
cpe:/a:zgv:zgv_image_viewer:5.5
cpe:/o:debian:debian_linux:3.0::m68k
cpe:/a:zgv:zgv_image_viewer:5.8
cpe:/a:zgv:xzgv_image_viewer:0.8
cpe:/a:zgv:zgv_image_viewer:5.6
cpe:/o:debian:debian_linux:3.0::sparc
cpe:/a:zgv:zgv_image_viewer:5.7
cpe:/o:debian:debian_linux:3.0::s-390
cpe:/a:zgv:xzgv_image_viewer:0.6
cpe:/a:zgv:xzgv_image_viewer:0.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0994
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0994
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-192
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110297198402077&w=2
(UNKNOWN)  IDEFENSE  20041213 Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability
http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff
(UNKNOWN)  CONFIRM  http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff
http://www.debian.org/security/2004/dsa-614
(UNKNOWN)  DEBIAN  DSA-614
http://xforce.iss.net/xforce/xfdb/18454
(UNKNOWN)  XF  xzgv-readprffile-bo(18454)

- 漏洞信息

xzgv 多个 整数溢出漏洞
危急 缓冲区溢出
2005-01-10 00:00:00 2006-09-27 00:00:00
远程  
        xzgv是一款开源的X界面下的图片浏览器软件。
        Xzgv 0.8版本中存在多个整数溢出漏洞。
        远程攻击者可通过包含超大的width/height值图片文件,触发溢出。如read_prf_file功能模块中readprf.c就可以被攻击者利用,从而可能执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://sourceforge.net/projects/xzgv/files/

- 漏洞信息 (F35319)

iDEFENSE Security Advisory 2004-12-13.t (PacketStormID:F35319)
2004-12-30 00:00:00
iDefense Labs,infamous41md  idefense.com
advisory,remote,overflow,arbitrary,code execution
CVE-2004-0994
[点击下载]

iDEFENSE Security Advisory 12.13.2004 - Remote exploitation of an integer overflow vulnerability in various vendors' implementations of the read_prf_file method in the xzgv program could allow for arbitrary code execution.

Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability

iDEFENSE Security Advisory 12.13.04
http://www.idefense.com/application/poi/display?type=vulnerabilities
December 13, 2004

I. BACKGROUND

xzgv is a picture viewer for X, with a thumbnail-based file selector. It

uses GTK+ and Imlib 1.x. Most file formats are supported, and the 
thumbnails used are compatible with xv, zgv and the Gimp. 

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in various 
vendors' implementations of the read_prf_file method in the xzgv program

could allow for arbitrary code execution. The vulnerability specifically

exists due to an integer overflow while allocating memory for an image 
file. The vulnerable code is as follows:

xzgv-0.8/src/readprf.c:
if((*theimageptr=malloc(width*height*3))==NULL)
[...]

The values width and height are integers that are ultimately supplied by

the image file. With certain values for height and width set in an image

file, not enough memory is allocated due to an integer overflow. The 
underallocated memory is later written to, causing heap corruption and 
possible arbitrary code execution with the privileges of the user 
viewing the image file.

III. ANALYSIS

Exploitation allows attackers to gain the privileges of the user viewing

the image file. If a user can be convinced to view a malicious file, 
this vulnerability can be exploited remotely.

IV. DETECTION

The following vendors have confirmed the availability of susceptible 
xzgv packages within their respective operating system distributions: 
	SuSE
	Debian
	Gentoo 
	FreeBSD 

V. WORKAROUND

Only accept image files from trusted sources. Use a different image 
viewer program to view untrusted images.

VI. VENDOR RESPONSE

The vulnerability has been addressed in the following patch:

http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0994 to this issue. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/05/2004  Initial vendor notification
12/10/2004  Secondary vendor notification
12/10/2004  Initial vendor response
12/13/2004  Coordinated public disclosure

IX. CREDIT

Infamous41md is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
    

- 漏洞信息

12357
xzgv read_prf_file Method Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2004-12-13 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

ZGV And XZGV Image Viewer Multiple Remote Integer Overflow Vulnerabilities
Boundary Condition Error 11556
Yes No
2004-10-25 12:00:00 2009-07-12 08:06:00
Discovery of these issues is credited to Sean <infamous41md@hotpop.com> and Luke Macken.

- 受影响的程序版本

zgv Image Viewer 5.8
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Gentoo Linux
zgv Image Viewer 5.7
zgv Image Viewer 5.6
zgv Image Viewer 5.5
+ Gentoo Linux
xzgv Image Viewer 0.8
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 5.3 -STABLE
+ FreeBSD FreeBSD 5.3 -RELEASE
+ FreeBSD FreeBSD 5.3
+ FreeBSD FreeBSD 5.2.1 -RELEASE
+ FreeBSD FreeBSD 5.2 -RELENG
+ FreeBSD FreeBSD 5.2 -RELEASE
+ FreeBSD FreeBSD 5.2
+ FreeBSD FreeBSD 5.1 -RELENG
+ FreeBSD FreeBSD 5.1 -RELEASE/Alpha
+ FreeBSD FreeBSD 5.1 -RELEASE-p5
+ FreeBSD FreeBSD 5.1 -RELEASE
+ FreeBSD FreeBSD 5.1
+ FreeBSD FreeBSD 5.0 -RELENG
+ FreeBSD FreeBSD 5.0 -RELEASE-p14
+ FreeBSD FreeBSD 5.0 alpha
+ FreeBSD FreeBSD 5.0
+ Gentoo Linux
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
xzgv Image Viewer 0.7
xzgv Image Viewer 0.6
Gentoo Linux
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha

- 漏洞讨论

zgv is reportedly affected by multiple remote integer overflow vulnerabilities. These issues are due to a failure of the application to perform adequate sanity checking on image values prior to copying image data into process buffers.

An attacker may leverage these issues to execute arbitrary code on an affected computer with the privileges of the user running the vulnerable application.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Debian linux has released advisory DSA 614-1 along with fixes dealing with this issue. Please see the referenced advisory for more information.

Gentoo Linux has released advisory GLSA 200411-12:01 to address this issue in zgv. Users of the affected package are urged to execute the following commands with superuser privileges to install the updates:
emerge --sync
emerge --ask --oneshot --verbose ">=media-gfx/zgv-5.8"

The vendor has released patches dealing with this issue in both the zgv and xzgv applications.

Debian linux has released advisory DSA 608-1 along with fixes dealing with this issue. Please see the referenced advisory for more information.

Gentoo Linux has released advisory GLSA GLSA 200501-09 to address this issue in xzgv. Users of the affected package are urged to execute the following commands with superuser privileges to install the updates:
emerge --sync
emerge --ask --oneshot --verbose ">=media-gfx/xzgv-0.8-r1"


xzgv Image Viewer 0.7

xzgv Image Viewer 0.8

zgv Image Viewer 5.5

zgv Image Viewer 5.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站