|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#352825
GNU gv buffer overflow vulnerability
OverviewA buffer overflow vulnerability exists in the GNU gv viewer application. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition.
I. DescriptionFrom the GNU gv website:
GNU gv allows to view and navigate through PostScript and PDF documents on an X display by providing a user interface for the ghostscript interpreter.
gv is a improved derivation of Timothy O. Theisen's Ghostview developed by Johannes Plass.
A buffer overflow vulnerability exists in the GNU gv viewer. An attacker may be able to trigger the overflow by convincing a user to open a specially-crafted PostScript file.
Note that GNU gv is maintained and packaged by many vendors. Please see the systems affected portion of this document for a list of vendors who distribute GNU gv.
II. ImpactA remote, unauthenticated attacker may be able to execute code with the privileges of the user running GNU gv.
III. SolutionUpgrade
Apply an upgrade. See the systems affected portion of this document for information about specific vendors.
Do not execute GNU gv with root privileges
Using a non-privileged user account to launch GNU gv may mitigate the impact of this vulnerability.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
| Apple Computer, Inc. | Unknown | 28-Nov-2006 |
| Conectiva Inc. | Unknown | 28-Nov-2006 |
| Cray Inc. | Unknown | 28-Nov-2006 |
| Debian GNU/Linux | Vulnerable | 28-Nov-2006 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 28-Nov-2006 |
| Engarde Secure Linux | Unknown | 28-Nov-2006 |
| F5 Networks, Inc. | Unknown | 28-Nov-2006 |
| Fedora Project | Unknown | 28-Nov-2006 |
| FreeBSD, Inc. | Unknown | 28-Nov-2006 |
| Fujitsu | Unknown | 28-Nov-2006 |
| Gentoo Linux | Vulnerable | 29-Nov-2006 |
| Hewlett-Packard Company | Unknown | 28-Nov-2006 |
| Hitachi | Unknown | 28-Nov-2006 |
| IBM Corporation | Unknown | 28-Nov-2006 |
| IBM Corporation (zseries) | Unknown | 28-Nov-2006 |
| IBM eServer | Unknown | 28-Nov-2006 |
| Immunix Communications, Inc. | Unknown | 28-Nov-2006 |
| Ingrian Networks, Inc. | Unknown | 28-Nov-2006 |
| Juniper Networks, Inc. | Not Vulnerable | 28-Nov-2006 |
| Mandriva, Inc. | Unknown | 28-Nov-2006 |
| Microsoft Corporation | Not Vulnerable | 28-Nov-2006 |
| MontaVista Software, Inc. | Unknown | 28-Nov-2006 |
| NEC Corporation | Unknown | 28-Nov-2006 |
| NetBSD | Not Vulnerable | 29-Nov-2006 |
| Nokia | Unknown | 28-Nov-2006 |
| Novell, Inc. | Unknown | 28-Nov-2006 |
| OpenBSD | Unknown | 28-Nov-2006 |
| Openwall GNU/*/Linux | Not Vulnerable | 1-Dec-2006 |
| QNX, Software Systems, Inc. | Unknown | 28-Nov-2006 |
| Red Hat, Inc. | Unknown | 28-Nov-2006 |
| Silicon Graphics, Inc. | Unknown | 28-Nov-2006 |
| Slackware Linux Inc. | Unknown | 28-Nov-2006 |
| Sony Corporation | Unknown | 28-Nov-2006 |
| Sun Microsystems, Inc. | Unknown | 28-Nov-2006 |
| SUSE Linux | Unknown | 28-Nov-2006 |
| The SCO Group | Unknown | 28-Nov-2006 |
| Trustix Secure Linux | Unknown | 28-Nov-2006 |
| Turbolinux | Unknown | 28-Nov-2006 |
| Ubuntu | Unknown | 28-Nov-2006 |
| Unisys | Unknown | 28-Nov-2006 |
| Wind River Systems, Inc. | Unknown | 28-Nov-2006 |
References
http://secunia.com/advisories/22787/
http://secunia.com/advisories/23018/
http://secunia.com/advisories/23006/
Credit
This vulnerability was publicly reported by Renaud Lifchitz.
This document was written by Ryan Giobbi.
Other Information
| Date Public: | 2006-11-09 |
| Date First Published: | 2006-11-28 |
| Date Last Updated: | 2006-12-01 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2006-5864 |
| NVD-ID(s): | CVE-2006-5864 |
| US-CERT Technical Alerts: | |
| Metric: | 0.10 |
| Document Revision: | 34 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|