diff options
| author | naddy <naddy@FreeBSD.org> | 2005-10-20 21:52:35 +0800 |
|---|---|---|
| committer | naddy <naddy@FreeBSD.org> | 2005-10-20 21:52:35 +0800 |
| commit | 1b5b9ec4e7fe022cda3c128b87649556b8d2c749 (patch) | |
| tree | e75216b916e6257de1af7d860b8f944f57c9bfab /security | |
| parent | bbb4eab3840ee2cae9f02287da0f790b3e6a13b4 (diff) | |
| download | freebsd-ports-gnome-1b5b9ec4e7fe022cda3c128b87649556b8d2c749.tar.gz freebsd-ports-gnome-1b5b9ec4e7fe022cda3c128b87649556b8d2c749.tar.zst freebsd-ports-gnome-1b5b9ec4e7fe022cda3c128b87649556b8d2c749.zip | |
Document x11/xloadimage buffer overflows in NIFF image title handling.
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index cc92a4c308df..30d294d50a26 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,45 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="2f0cb4bb-416d-11da-99fe-000854d03344"> + <topic>xloadimage -- buffer overflows in NIFF image title handling</topic> + <affects> + <package> + <name>xloadimage</name> + <range><lt>4.1.15</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Ariel Berkman reports:</p> + <blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&w=2"> + <p>Unlike most of the supported image formats in xloadimage, + the NIFF image format can store a title name of arbitrary + length as part of the image file.</p> + <p>When xloadimage is processing a loaded image, it is + creating a new Image object and then writing the processed + image to it. At that point, it will also copy the title + from the old image to the newly created image.</p> + <p>The 'zoom', 'reduce', and 'rotate' functions are using + a fixed length buffer to construct the new title name + when an image processing is done. Since the title name + in a NIFF format is of varying length, and there are + insufficient buffer size validations, the buffer can + be overflowed.</p> + </blockquote> + </body> + </description> + <references> + <bid>15051</bid> + <cvename>CVE-2005-3178</cvename> + <mlist msgid="BOEKKJLADFNHIEFBHCECMEONCFAA.aberkm1@uic.edu">http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&w=2</mlist> + </references> + <dates> + <discovery>2005-10-05</discovery> + <entry>2005-10-20</entry> + </dates> + </vuln> + <vuln vid="97d45e95-3ffc-11da-a263-0001020eed82"> <topic>snort -- Back Orifice preprocessor buffer overflow vulnerability</topic> |