Mozilla Firefox SVG _cairo_pen_init Heap Overflow

2007-02-23T12:03:50
ID OSVDB:32113
Type osvdb
Reporter Tom Ferris(tommy@security-protocols.com)
Modified 2007-02-23T12:03:50

Description

Vulnerability Description

A remote overflow exists in Mozilla Firefox. The application fails to validate input passed to the 'stroke-width' variable in the '_cairo_pen_init' function resulting in a heap overflow. With a specially crafted .svg file, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Technical Description

Firefox it's internal SVG viewer contains a buffer overflow when using a long value for the 'stroke-width' parameter. The below code can be used to demonstrate the vulnerability when using it in a SVG file format.

<clipPath stroke-width="2000000000000000" color="1" > <line> </line> </clipPath>

Solution Description

Upgrade to Firefox 2.0.0.2 or higher, as it has been reported to fix this vulnerability. Additionally, disable Firefox's it internal SVG viewer as a workaround.

Short Description

A remote overflow exists in Mozilla Firefox. The application fails to validate input passed to the 'stroke-width' variable in the '_cairo_pen_init' function resulting in a heap overflow. With a specially crafted .svg file, an attacker can cause arbitrary code execution resulting in a loss of integrity.

References:

Vendor Specific Solution URL: http://security.gentoo.org/glsa/glsa-200703-04.xml Vendor Specific News/Changelog Entry: https://bugzilla.mozilla.org/show_bug.cgi?id=360645 Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1017698 Secunia Advisory ID:24293 Secunia Advisory ID:24328 Secunia Advisory ID:24333 Secunia Advisory ID:24455 Secunia Advisory ID:24569 Secunia Advisory ID:25588 Secunia Advisory ID:24205 Secunia Advisory ID:24393 Secunia Advisory ID:24437 Secunia Advisory ID:24406 Secunia Advisory ID:24238 Secunia Advisory ID:24320 Secunia Advisory ID:24457 Secunia Advisory ID:24384 Secunia Advisory ID:24456 Secunia Advisory ID:24522 Secunia Advisory ID:24410 Secunia Advisory ID:24389 Related OSVDB ID: 32103 Related OSVDB ID: 32107 Related OSVDB ID: 32110 Related OSVDB ID: 32109 Related OSVDB ID: 32114 Related OSVDB ID: 32115 Related OSVDB ID: 32104 Related OSVDB ID: 32105 Related OSVDB ID: 32111 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200703-04.xml Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2007-Mar/0001.html Other Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.363947 Other Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.374851 Other Advisory URL: http://www.ubuntu.com/usn/usn-431-1 Other Advisory URL: http://www.us.debian.org/security/2007/dsa-1336 Other Advisory URL: http://fedoranews.org/cms/node/2728 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200703-18.xml Other Advisory URL: http://fedoranews.org/cms/node/2721 Other Advisory URL: http://www.ubuntu.com/usn/usn-428-1 Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2007-Mar/0006.html Other Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.338131 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200703-08.xml Other Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:052 Other Advisory URL: http://fedoranews.org/cms/node/2747 ISS X-Force ID: 32698 FrSIRT Advisory: ADV-2007-0719 FrSIRT Advisory: ADV-2007-0718 CVE-2007-0776 CERT VU: 551436 Bugtraq ID: 22694