SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#825374

GdkPixbuf BMP parser may enter an infinite loop

Overview

A vulnerability exists in the BMP handling of GdkPixbuf. This vulnerability can lead to a denial-of-service condition.

I. Description

GdkPixbuf is a library used by GTK+ 2 for loading and rendering images. GTK+ is a multi-platform toolkit for creating graphical user interfaces. It is used by the Gnome desktop and other applications. GdkPixbuf contains a heap overflow vulnerability in the DoCompressed() function of the BMP loading routine.

II. Impact

By convincing the user to open a specially crafted BMP file, an attacker could cause a denial of service by crashing the application that uses GdkPixbuf.

III. Solution

Apply a patch from your vendor

For vendor-specific information regarding vulnerable status and patch availability, please see the vendor section of this document.

Upgrade your version of gtk+

Upgrade your system as specified by your vendor. If you need to compile the software from the original source, get gtk+ 2.4.10.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Not Vulnerable31-Jan-2005
BSDIUnknown20-Sep-2004
ConectivaUnknown20-Sep-2004
Cray Inc.Unknown20-Sep-2004
DebianVulnerable20-Sep-2004
EMC CorporationUnknown20-Sep-2004
EngardeUnknown20-Sep-2004
FreeBSDUnknown20-Sep-2004
FujitsuUnknown20-Sep-2004
Hewlett-Packard CompanyUnknown20-Sep-2004
HitachiNot Vulnerable28-Sep-2004
IBMUnknown20-Sep-2004
IBM-zSeriesUnknown20-Sep-2004
IBM eServerUnknown20-Sep-2004
ImmunixUnknown20-Sep-2004
Ingrian NetworksUnknown20-Sep-2004
Juniper NetworksUnknown20-Sep-2004
MandrakeSoftUnknown20-Sep-2004
MontaVista SoftwareUnknown20-Sep-2004
NEC CorporationUnknown20-Sep-2004
NETBSDUnknown20-Sep-2004
NokiaUnknown20-Sep-2004
NovellUnknown20-Sep-2004
OpenBSDUnknown20-Sep-2004
Openwall GNU/*/LinuxUnknown20-Sep-2004
Red Hat Inc.Unknown20-Sep-2004
SCOUnknown20-Sep-2004
SequentUnknown20-Sep-2004
SGIUnknown20-Sep-2004
Sony CorporationUnknown20-Sep-2004
Sun Microsystems Inc.Unknown20-Sep-2004
SuSE Inc.Vulnerable20-Sep-2004
TurboLinuxUnknown20-Sep-2004
UnisysUnknown20-Sep-2004
Wind River Systems Inc.Unknown20-Sep-2004

References


http://secunia.com/advisories/12542/
http://www.securitytracker.com/alerts/2004/Sep/1011285.html
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:095
https://rhn.redhat.com/errata/RHSA-2004-447.html

Credit

This vulnerability was reported by the Red Hat Security Response Team.

This document was written by Will Dormann.

Other Information

Date Public:2004-09-15
Date First Published:2004-10-01
Date Last Updated:2004-11-02
CERT Advisory: 
CVE-ID(s):CAN-2004-0753
NVD-ID(s):CAN-2004-0753
US-CERT Technical Alerts: 
Metric:1.77
Document Revision:11

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader