Three buffer overflows have been discovered in xloadimage during the handling of the image title name. When xloadimage is processing a loaded image, it is creating a new Image object and then writing the processed image to it. At that point, it will also copy the title from the old image to the newly created image. The 'zoom', 'reduce', and 'rotate' functions are using a fixed length buffer to construct the new title name when an image processing is done. Since the title name in a NIFF format is of varying length, and there are insufficient buffer size validations, the buffer can be overflowed. Proof of concept files included.
4ebe115927efb8268af7d4de94c58dc9A buffer overflow vulnerability exists in the Yanf news fetcher utility version 0.4.
14bbda8f498430f2e0419965424f8c90Vilistextum version 2.6.6 is susceptible to a buffer overflow in the get_attr() function.
bf08708a98b0a42384791a1dce9df5fdBolthole Filter 2.6.1 is susceptible to a buffer overflow in the save_embedded_address() function.
2377c54dc55dee29004918a211eb4bebDXFscope version 0.2 is susceptible to a buffer overflow in the dxfin() function.
82eb657d34bf358e211533dc74d15262changepassword version 0.8 fails to use a trusted path when calling make.
7698f5ec75c1e6ffdae6c520099b1a09Convex 3D version 0.8pre1 is susceptible to a boundary error condition in the readObjectChunk() function that can result in arbitrary code execution.
f121a61b8ab0221cb66d4b8c80eb3527A boundary error in the ParseCommand() function of CUPS version 1.x allows for a buffer overflow attack.
dc39406cac000791b41cbd2c2f4e58acA boundary error condition in xine-lib versions 1-rc5 and 1-rc7 allows for arbitrary code execution.
ff26c74368757ae959f8e15478702404A boundary error condition in ArBas 2fax allow for arbitrary code execution. Version 3.04 was found susceptible.
1b879f49f13ed4a55da16edb0f3d5479
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed