Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:825374
HistoryOct 01, 2004 - 12:00 a.m.

GdkPixbuf BMP parser may enter an infinite loop

2004-10-0100:00:00
www.kb.cert.org
18

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.305 Low

EPSS

Percentile

96.9%

JSON

Overview

A vulnerability exists in the BMP handling of GdkPixbuf. This vulnerability can lead to a denial-of-service condition.

Description

GdkPixbuf is a library used by GTK+ 2 for loading and rendering images. GTK+ is a multi-platform toolkit for creating graphical user interfaces. It is used by the Gnome desktop and other applications. GdkPixbuf contains a heap overflow vulnerability in the DoCompressed() function of the BMP loading routine.

Impact

By convincing the user to open a specially crafted BMP file, an attacker could cause a denial of service by crashing the application that uses GdkPixbuf.

Solution

Apply a patch from your vendor

For vendor-specific information regarding vulnerable status and patch availability, please see the vendor section of this document.

Upgrade your version of gtk+

Upgrade your system as specified by your vendor. If you need to compile the software from the original source, get gtk+ 2.4.10.

Vendor Information

825374

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Debian __ Affected

Notified: September 17, 2004 Updated: September 20, 2004

Status

Affected

Vendor Statement

The stable Debian distribution (3.0 alias woody) is vulnerable to

several of these problems. The matrix below explains which version
fixes which problem.

| Gtk+2.0 gdk-pixbuf
------------------------+------------------------------------
VU#825374 CAN-2004-0753 | not vuln 0.17.0-2woody2
VU#729894 CAN-2004-0782 | 2.0.2-5woody2 0.17.0-2woody2
VU#369358 CAN-2004-0783 | 2.0.2-5woody2 not vuln
VU#577654 CAN-2004-0788 | 2.0.2-5woody2 0.17.0-2woody2

For the unstable distribution (sid) these problems have been fixed in
version 0.22.0-7 of gdk-pixbuf, and will be fixed soon in Gtk+2.0.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

SuSE Inc. __ Affected

Notified: September 17, 2004 Updated: September 20, 2004

Status

Affected

Vendor Statement

updated gtk2, gdk-pixbuf packages were already released.
These packages do not contain fixes for the remote denial-of-service
bug referenced by VU#825374 and CAN-2004-0753. This bug will be
fixed as soon as possible.

Our customers can update their systems by using the
YaST Online Update (YOU) tool or installing the RPM
file directly from <http://www.suse.de/en/private/download/updates/&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Apple Computer Inc. __ Not Affected

Notified: September 17, 2004 Updated: January 31, 2005

Status

Not Affected

Vendor Statement

Mac OS X and Mac OS X Server do not contain the software described in this vulnerability note.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Hitachi __ Not Affected

Notified: September 17, 2004 Updated: September 28, 2004

Status

Not Affected

Vendor Statement

HI-UX/WE2 is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

BSDI __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Conectiva __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Cray Inc. __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

EMC Corporation __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Engarde __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

FreeBSD __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Fujitsu __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Hewlett-Packard Company __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

IBM __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

IBM eServer __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

IBM-zSeries __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Immunix __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Ingrian Networks __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Juniper Networks __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

MandrakeSoft __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

MontaVista Software __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

NEC Corporation __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

NETBSD __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Nokia __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Novell __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

OpenBSD __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Openwall GNU/*/Linux __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Red Hat Inc. __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

SCO __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

SGI __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Sequent __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Sony Corporation __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Sun Microsystems Inc. __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

TurboLinux __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Unisys __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

Wind River Systems Inc. __ Unknown

Notified: September 17, 2004 Updated: September 20, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23825374 Feedback>).

View all 35 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by the Red Hat Security Response Team.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2004-0753
Severity Metric: 1.77 Date Public:

Related

gentoo 1
nessus 16
cert 3
openvas 12
redhat 2
freebsd 2
osv 2
debian 4
securityvulns 2
checkpoint_advisories 1
cve 4
debiancve 4
ubuntucve 4
suse 2
gentoo
gentoo
GTK+ 2, gdk-pixbuf: Multiple image decoding vulnerabilities
2004-09-21 00:00:00
nessus
nessus
GLSA-200409-28 : GTK+ 2, gdk-pixbuf: Multiple image decoding vulnerabilities
2004-09-22 00:00:00
Mandrake Linux Security Advisory : gdk-pixbuf/gtk+2 (MDKSA-2004:095-1)
2004-09-16 00:00:00
Debian DSA-546-1 : gdk-pixbuf - several vulnerabilities
2004-09-29 00:00:00
cert
cert
GdkPixbuf XPM parser contains a heap overflow vulnerability
2004-10-01 00:00:00
GdkPixbuf ICO parser contains an integer overflow vulnerability
2004-10-01 00:00:00
GdkPixbuf XPM parser contains a stack overflow vulnerability
2004-10-01 00:00:00
openvas
openvas
Gentoo Security Advisory GLSA 200409-28 (gtk+)
2008-09-24 00:00:00
Gentoo Security Advisory GLSA 200409-28 (gtk+)
2008-09-24 00:00:00
SLES9: Security update for gdk-pixbuf
2009-10-10 00:00:00
redhat
redhat
(RHSA-2004:466) gtk2 security update
2004-09-15 00:00:00
(RHSA-2004:447) gdk-pixbuf security update
2004-09-15 00:00:00
freebsd
freebsd
gdk-pixbuf -- image decoding vulnerabilities
2004-09-15 00:00:00
imlib -- xpm heap buffer overflows and integer overflows
2004-12-06 00:00:00
osv
osv
gtk+2.0 - multiple holes
2004-09-17 00:00:00
gdk-pixbuf - several vulnerabilities
2004-09-16 00:00:00
debian
debian
[SECURITY] [DSA 549-1] New gtk+2.0 packages fix several vulnerabilities
2004-09-17 09:25:18
[SECURITY] [DSA 546-1] New gdk-pixbuf packages fix several vulnerabilities
2004-09-16 09:02:33
[SECURITY] [DSA 549-1] New gtk+2.0 packages fix several vulnerabilities
2004-09-17 09:25:18
securityvulns
securityvulns
CESA-2004-005: gtk+ XPM decoder
2004-09-16 00:00:00
CESA-2004-004: libXpm
2004-09-16 00:00:00
checkpoint_advisories
checkpoint_advisories
CVS File Existence Information Disclosure (CVE-2004-0788)
2009-10-14 00:00:00
cve
cve
CVE-2004-0788
2004-10-20 04:00:00
CVE-2004-0753
2004-10-20 04:00:00
CVE-2004-0782
2004-10-20 04:00:00
debiancve
debiancve
CVE-2004-0788
2004-10-20 04:00:00
CVE-2004-0753
2004-10-20 04:00:00
CVE-2004-0782
2004-10-20 04:00:00
ubuntucve
ubuntucve
CVE-2004-0788
2004-10-20 00:00:00
CVE-2004-0753
2004-10-20 00:00:00
CVE-2004-0782
2004-10-20 00:00:00
suse
suse
remote code execution in gtk2, gdk-pixbuf
2004-09-17 10:02:50
remote denial-of-service in apache2
2004-09-15 15:46:39

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.305 Low

EPSS

Percentile

96.9%

JSON
Related for VU:825374
gentoo1nessus16cert3openvas12redhat2freebsd2osv2debian4securityvulns2checkpoint_advisories1cve4debiancve4ubuntucve4suse2