Lucene search

Gentoo FoundationGLSA-200604-10

HistoryApr 21, 2006 - 12:00 a.m.

zgv, xzgv: Heap overflow

2006-04-2100:00:00

Gentoo Foundation

security.gentoo.org

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.021

Percentile

89.2%

JSON

Background

xzgv and zgv are picture viewing utilities with a thumbnail based file selector.

Description

Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate insufficient memory when rendering images with more than 3 output components, such as images using the YCCK or CMYK colour space. When xzgv or zgv attempt to render the image, data from the image overruns a heap allocated buffer.

Impact

An attacker may be able to construct a malicious image that executes arbitrary code with the permissions of the xzgv or zgv user when attempting to render the image.

Workaround

There is no known workaround at this time.

Resolution

All xzgv users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=media-gfx/xzgv-0.8-r2"

All zgv users should also upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=media-gfx/zgv-5.9"

OSVersionArchitecturePackageVersionFilename
Gentooanyallmedia-gfx/xzgv< 0.8-r2UNKNOWN
Gentooanyallmedia-gfx/zgv< 5.9UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	media-gfx/xzgv	< 0.8-r2	UNKNOWN
Gentoo	any	all	media-gfx/zgv	< 5.9	UNKNOWN

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.021

Percentile

89.2%

JSON

Related for GLSA-200604-10