Vulnerability Note VU#729894
GdkPixbuf XPM parser contains a heap overflow vulnerability
Overview
A heap overflow vulnerability exists in the XPM handling of GdkPixbuf. This vulnerability can lead to a denial-of-service condition or execution of arbitrary code.
Description
GdkPixbuf is a library used by GTK+ 2 for loading and rendering images. GTK+ is a multi-platform toolkit for creating graphical user interfaces. It is used by the Gnome desktop and other applications. GdkPixbuf contains a heap overflow vulnerability in the pixbuf_create_from_xpm() function of the XPM loading routine. |
Impact
By convincing the user to open a specially crafted XPM file, an attacker could cause a denial of service by crashing the application that uses GdkPixbuf. It may also be possible to execute arbitrary code with the permissions of that application. |
Solution
Apply a patch from your vendor For vendor-specific information regarding vulnerable status and patch availability, please see the vendor section of this document. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Debian | Affected | 17 Sep 2004 | 20 Sep 2004 |
| SuSE Inc. | Affected | 17 Sep 2004 | 20 Sep 2004 |
| Apple Computer Inc. | Not Affected | 17 Sep 2004 | 31 Jan 2005 |
| Hitachi | Not Affected | 17 Sep 2004 | 28 Sep 2004 |
| BSDI | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Conectiva | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Cray Inc. | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| EMC Corporation | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Engarde | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| FreeBSD | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Fujitsu | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| Hewlett-Packard Company | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| IBM | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| IBM-zSeries | Unknown | 17 Sep 2004 | 20 Sep 2004 |
| IBM eServer | Unknown | 17 Sep 2004 | 20 Sep 2004 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://secunia.com/advisories/12542/
- http://www.securitytracker.com/alerts/2004/Sep/1011285.html
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:095
- https://rhn.redhat.com/errata/RHSA-2004-447.html
Credit
Thanks to Chris Evans for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
- CVE IDs: CAN-2004-0782
- Date Public: 15 Sep 2004
- Date First Published: 01 Oct 2004
- Date Last Updated: 01 Nov 2004
- Severity Metric: 8.86
- Document Revision: 9
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.