Vulnerability Note VU#577654
GdkPixbuf ICO parser contains an integer overflow vulnerability
Overview
An integer overflow vulnerability exists in the ICO handling of GdkPixbuf. This vulnerability can lead to a denial-of-service condition.
Description
GdkPixbuf is a library used by GTK+ 2 for loading and rendering images. GTK+ is a multi-platform toolkit for creating graphical user interfaces. It is used by the Gnome desktop and other applications. GdkPixbuf contains an integer overflow vulnerability in the DecodeHeader() function of the ICO loading routine. |
Impact
By convincing the user to open a specially crafted ICO file, an attacker could cause a denial of service by crashing the application that uses GdkPixbuf. |
Solution
Apply a patch from your vendor For vendor-specific information regarding vulnerable status and patch availability, please see the vendor section of this document. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Apple Computer Inc. | Not Affected | 17 Sep 2004 | 31 Jan 2005 |
| BSDI | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Conectiva | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Cray Inc. | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Debian | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| EMC Corporation | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Engarde | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| FreeBSD | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Fujitsu | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Hewlett-Packard Company | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Hitachi | Unknown | 17 Sep 2004 | 28 Sep 2004 |
| IBM | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| IBM-zSeries | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| IBM eServer | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Immunix | Unknown | 17 Sep 2004 | 20 Sep 2004 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://secunia.com/advisories/12542/
- http://www.securitytracker.com/alerts/2004/Sep/1011285.html
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:095
- https://rhn.redhat.com/errata/RHSA-2004-447.html
Credit
Thanks to Chris Evans for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
- CVE IDs: CAN-2004-0788
- Date Public: 15 Sep 2004
- Date First Published: 01 Oct 2004
- Date Last Updated: 01 Nov 2004
- Severity Metric: 1.77
- Document Revision: 10
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.