An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. An integer overflow can occur while calculating the row's allocation size, that could be exploited to corrupt memory and eventually execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file.
{"id": "VERACODE:29513", "vendorId": null, "type": "veracode", "bulletinFamily": "software", "title": "Arbitrary Code Execution", "description": "An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. An integer overflow can occur while calculating the row's allocation size, that could be exploited to corrupt memory and eventually execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file.\n", "published": "2021-02-26T07:21:52", "modified": "2022-04-29T19:18:36", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29513/summary", "reporter": "Veracode Vulnerability Database", "references": ["https://lists.debian.org/debian-lts-announce/2021/02/msg00014.html", "https://lists.debian.org/debian-lts-announce/2021/03/msg00008.html", "https://security-tracker.debian.org/tracker/CVE-2019-5087", "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0879", "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0879"], "cvelist": ["CVE-2019-5087"], "immutableFields": [], "lastseen": "2022-07-26T13:51:30", "viewCount": 1, "enchantments": {"score": {"value": 4.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-5087"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2553-1:E863A", "DEBIAN:DLA-2553-2:48AF3"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-5087"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2553.NASL"]}, {"type": "osv", "idList": ["OSV:DLA-2553-1"]}, {"type": "talos", "idList": ["TALOS-2019-0879"]}, {"type": "talosblog", "idList": ["TALOSBLOG:58CABAAB1D4F3F6D8E50704BBE868869"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-5087"]}]}, "affected_software": {"major_version": [{"name": "xcftools:sid", "version": 1}, {"name": "xcftools:sid", "version": 1}]}, "vulnersScore": 4.2}, "_state": {"score": 1660013489, "dependencies": 1660004461, "affected_software_major_version": 1666695388}, "_internal": {"score_hash": "e804c401ed97d6486da91e3708090de9"}, "affectedSoftware": [{"version": "1.0.7-6+b1", "operator": "eq", "name": "xcftools:sid"}, {"version": "1.0.7-6+b1", "operator": "eq", "name": "xcftools:sid"}]}
{"cve": [{"lastseen": "2022-06-21T20:49:38", "description": "An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. An integer overflow can occur while calculating the row's allocation size, that could be exploited to corrupt memory and eventually execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-21T16:15:00", "type": "cve", "title": "CVE-2019-5087", "cwe": ["CWE-190", "CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5087"], "modified": "2022-06-21T19:21:00", "cpe": ["cpe:/a:xcftools_project:xcftools:1.0.7", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2019-5087", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5087", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:xcftools_project:xcftools:1.0.7:*:*:*:*:*:*:*"]}], "talos": [{"lastseen": "2022-01-26T11:45:37", "description": "### Summary\n\nAn exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. An integer overflow can occur while calculating the row\u2019s allocation size, that could be exploited to corrupt memory and eventually execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file.\n\n### Tested Versions\n\nxcftools 1.0.7\n\n### Product URLs\n\n[http://henning.makholm.net/xcftools/](<>)\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-680: Integer Overflow to Buffer Overflow\n\n### Details\n\nXcftools is a set of tools for handling Gimp\u2019s XCF files. It provides an `xcfinfo` tool for extracting information from an XCF file, and `xcf2png` and `xcf2pnm` for converting an XCF to PNG or PNM format.\n\nWhen converting an XCF, the utilities first parse the file using the function `getBasicXcfInfo`. For each XCF layer, the function `computeDimensions` is called:\n \n \n struct tileDimensions {\n struct rect c ;\n unsigned width, height ;\n unsigned tilesx, tilesy ;\n unsigned ntiles ;\n };\n \n struct rect {\n int t, b, l, r ;\n };\n \n void\n computeDimensions(struct tileDimensions *d)\n {\n d->c.r = d->c.l + d->width ; // [1]\n d->c.b = d->c.t + d->height ;\n d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ;\n d->tilesy = (d->height+TILE_HEIGHT-1)/TILE_HEIGHT ;\n d->ntiles = d->tilesx * d->tilesy ;\n }\n \n\nThe function takes a structure containing some information about the layer: width, height, horizontal and vertical offset. These values are all gathered from the input file. The code calculates the bounds of the layer by filling the `rect` structure.\n\nAs we can see at [1], the \u201chorizontal offset\u201d (`d->c.l`) is used together with the layer width, to calculate the \u201cright\u201d field of the rectangle.\n\nWhen the `flattenIncrementally` function is called, the size of each row is calculated based on the values `r` and `l` alone:\n \n \n void\n flattenIncrementally(struct FlattenSpec *spec,lineCallback callback)\n {\n rgba *rows[TILE_HEIGHT] ;\n unsigned i, y, nrows, ncols ;\n struct rect where ;\n struct Tile *tile ;\n static struct Tile toptile ;\n \n toptile.count = TILE_HEIGHT * TILE_WIDTH ;\n fillTile(&toptile,0);\n \n for( where.t = spec->dim.c.t; where.t < spec->dim.c.b; where.t=where.b ) {\n where.b = TILE_TOP(where.t)+TILE_HEIGHT ;\n if( where.b > spec->dim.c.b ) where.b = spec->dim.c.b ;\n nrows = where.b - where.t ;\n for( y = 0; y < nrows ; y++ )\n rows[y] = xcfmalloc(4*(spec->dim.c.r-spec->dim.c.l)); // [2]\n \n for( where.l = spec->dim.c.l; where.l < spec->dim.c.r; where.l=where.r ) {\n ...\n for( y = 0 ; y < nrows ; y++ )\n memcpy(rows[y] + (where.l - spec->dim.c.l), // [3]\n tile->pixels + y * ncols, ncols*4);\n ...\n }\n for( y = 0 ; y < nrows ; y++ )\n callback(spec->dim.width,rows[y]); // [4]\n }\n }\n \n\nAt [2], a row is allocated using the width multiplied by 4. This operation doesn\u2019t take integer overflows into account, so any width larger than 0x3fffffff would result in an overflow.\n\nAny logic writing to `rows` after this point, will risk corrupting the heap, leading to arbitrary code execution. There are at least two paths for corruption, at [3] and [4] (which would be triggered by any callback writing to a row, for example by `optimistic_palette_callback` which calls `palettify_row`).\n\n### Timeline\n\n2019-07-31 - Initial contact \n2019-08-07 - Plain text file sent \n2019-10-02 - 60+ day follow up \n2019-10-21 - 90 day notice \n2019-11-21 - Public release\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-20T00:00:00", "type": "talos", "title": "xcftools flattenIncrementally rows allocation code execution vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5087"], "modified": "2019-11-20T00:00:00", "id": "TALOS-2019-0879", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0879", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-07-04T06:03:05", "description": "An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. An integer overflow can occur while calculating the row's allocation size, that could be exploited to corrupt memory and eventually execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-21T16:15:00", "type": "debiancve", "title": "CVE-2019-5087", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5087"], "modified": "2019-11-21T16:15:00", "id": "DEBIANCVE:CVE-2019-5087", "href": "https://security-tracker.debian.org/tracker/CVE-2019-5087", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-01-27T13:49:06", "description": "An exploitable integer overflow vulnerability exists in the\nflattenIncrementally function in the xcf2png and xcf2pnm binaries of\nxcftools 1.0.7. An integer overflow can occur while calculating the row's\nallocation size, that could be exploited to corrupt memory and eventually\nexecute arbitrary code. In order to trigger this vulnerability, a victim\nwould need to open a specially crafted XCF file.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-21T00:00:00", "type": "ubuntucve", "title": "CVE-2019-5087", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5087"], "modified": "2019-11-21T00:00:00", "id": "UB:CVE-2019-5087", "href": "https://ubuntu.com/security/CVE-2019-5087", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T14:42:08", "description": "The patch to address CVE-2019-5086 and CVE-2019-5087 was not portable and did not work on 32 bit processor architectures. This update fixes the problem. For reference, the original advisory text follows.\n\nClaudio Bozzato of Cisco Talos discovered an exploitable integer overflow vulnerability in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools. An integer overflow can occur while walking through tiles that could be exploited to corrupt memory and execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file.\n\nFor Debian 9 stretch, this problem has been fixed in version 1.0.7-6+deb9u2.\n\nWe recommend that you upgrade your xcftools packages.\n\nFor the detailed security status of xcftools please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/xcftools\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-02-10T00:00:00", "type": "nessus", "title": "Debian DLA-2553-2 : xcftools regression update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5086", "CVE-2019-5087"], "modified": "2021-03-10T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:xcftools", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2553.NASL", "href": "https://www.tenable.com/plugins/nessus/146360", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2553-2. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(146360);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/10\");\n\n script_cve_id(\"CVE-2019-5086\", \"CVE-2019-5087\");\n\n script_name(english:\"Debian DLA-2553-2 : xcftools regression update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The patch to address CVE-2019-5086 and CVE-2019-5087 was not portable\nand did not work on 32 bit processor architectures. This update fixes\nthe problem. For reference, the original advisory text follows.\n\nClaudio Bozzato of Cisco Talos discovered an exploitable integer\noverflow vulnerability in the flattenIncrementally function in the\nxcf2png and xcf2pnm binaries of xcftools. An integer overflow can\noccur while walking through tiles that could be exploited to corrupt\nmemory and execute arbitrary code. In order to trigger this\nvulnerability, a victim would need to open a specially crafted XCF\nfile.\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.0.7-6+deb9u2.\n\nWe recommend that you upgrade your xcftools packages.\n\nFor the detailed security status of xcftools please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/xcftools\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/03/msg00008.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/xcftools\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/xcftools\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the affected xcftools package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xcftools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"xcftools\", reference:\"1.0.7-6+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2022-01-07T02:41:55", "description": "-------------------------------------------------------------------------\nDebian LTS Advisory DLA-2553-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nFebruary 09, 2021 https://wiki.debian.org/LTS\n-------------------------------------------------------------------------\n\nPackage : xcftools\nVersion : 1.0.7-6+deb9u1\nCVE ID : CVE-2019-5086 CVE-2019-5087\nDebian Bug : 945317\n\nClaudio Bozzato of Cisco Talos discovered an exploitable integer overflow\nvulnerability in the flattenIncrementally function in the xcf2png and xcf2pnm\nbinaries of xcftools. An integer overflow can occur while walking through tiles\nthat could be exploited to corrupt memory and execute arbitrary code. In order\nto trigger this vulnerability, a victim would need to open a specially crafted\nXCF file.\n\nFor Debian 9 stretch, these problems have been fixed in version\n1.0.7-6+deb9u1.\n\nWe recommend that you upgrade your xcftools packages.\n\nFor the detailed security status of xcftools please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/xcftools\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\nAttachment:\nsignature.asc\nDescription: This is a digitally signed message part\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-10T00:32:07", "type": "debian", "title": "[SECURITY] [DLA 2553-1] xcftools security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5086", "CVE-2019-5087"], "modified": "2021-02-10T00:32:07", "id": "DEBIAN:DLA-2553-1:E863A", "href": "https://lists.debian.org/debian-lts-announce/2021/02/msg00014.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T10:43:38", "description": "-------------------------------------------------------------------------\nDebian LTS Advisory DLA-2553-2 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nMarch 08, 2021 https://wiki.debian.org/LTS\n-------------------------------------------------------------------------\n\nPackage : xcftools\nVersion : 1.0.7-6+deb9u2\nCVE ID : CVE-2019-5086 CVE-2019-5087\nDebian Bug : 945317\n\nThe patch to address CVE-2019-5086 and CVE-2019-5087 was not portable and did\nnot work on 32 bit processor architectures. This update fixes the problem. For\nreference, the original advisory text follows.\n\nClaudio Bozzato of Cisco Talos discovered an exploitable integer overflow\nvulnerability in the flattenIncrementally function in the xcf2png and xcf2pnm\nbinaries of xcftools. An integer overflow can occur while walking through tiles\nthat could be exploited to corrupt memory and execute arbitrary code. In order\nto trigger this vulnerability, a victim would need to open a specially crafted\nXCF file.\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.0.7-6+deb9u2.\n\nWe recommend that you upgrade your xcftools packages.\n\nFor the detailed security status of xcftools please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/xcftools\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\nAttachment:\nsignature.asc\nDescription: This is a digitally signed message part\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T10:05:50", "type": "debian", "title": "[SECURITY] [DLA 2553-2] xcftools regression update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5086", "CVE-2019-5087"], "modified": "2021-03-08T10:05:50", "id": "DEBIAN:DLA-2553-2:48AF3", "href": "https://lists.debian.org/debian-lts-announce/2021/03/msg00008.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-08-05T05:19:03", "description": "\nClaudio Bozzato of Cisco Talos discovered an exploitable integer overflow\nvulnerability in the flattenIncrementally function in the xcf2png and xcf2pnm\nbinaries of xcftools. An integer overflow can occur while walking through tiles\nthat could be exploited to corrupt memory and execute arbitrary code. In order\nto trigger this vulnerability, a victim would need to open a specially crafted\nXCF file.\n\n\nFor Debian 9 stretch, these problems have been fixed in version\n1.0.7-6+deb9u1.\n\n\nWe recommend that you upgrade your xcftools packages.\n\n\nFor the detailed security status of xcftools please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/xcftools>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "edition": 1, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-02-10T00:00:00", "type": "osv", "title": "xcftools - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5087", "CVE-2019-5086"], "modified": "2022-08-05T05:19:02", "id": "OSV:DLA-2553-1", "href": "https://osv.dev/vulnerability/DLA-2553-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2019-12-04T12:17:02", "description": "[](<https://1.bp.blogspot.com/-4KmzPgCzEnI/XUgv9m3AF_I/AAAAAAAAAC4/C28-47fWukERV4yT0uQnA2_xuy2aB8ZkgCPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg>)\n\n_ \n__Claudio Bozzato of Cisco Talos discovered these vulnerabilities. _ \n \nXcftools contains two remote code execution vulnerabilities in its flattenIncrementally function. [Xcftools](<http://henning.makholm.net/software>) is a set of tools for handling Gimp\u2019s XCF files. The software provides tools to extract information from an XCF file, and then converting XCF files into a PNG or PNM file. An attacker could exploit these bugs by tricking a user into opening a specially crafted XCF file. \n\n\n[](<https://1.bp.blogspot.com/-CXQrDqkxSzA/XVwTZj4SFKI/AAAAAAAAAEY/jrBRc_dHReYkza4WXVN0mHVdADHWL6iOQCPcBGAYYCw/s1600/patch_availability_nopatch.jpg>)\n\n \nCisco Talos is disclosing these vulnerabilities after xcftools failed to patch them per Cisco\u2019s 90-day deadline. Read more about the Cisco vulnerability disclosure policy [here](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>). \n \n\n\n### Vulnerability details\n\n**xcftools flattenIncrementally tiles walk code execution vulnerability (TALOS-2019-0878/CVE-2019-5086)** \n \nAn exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools, version 1.0.7. An integer overflow can occur while walking through tiles that could be exploited to corrupt memory and execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file. \n \nRead the complete vulnerability advisory [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0878>) for additional information. \n \n**xcftools flattenIncrementally rows allocation code execution vulnerability (TALOS-2019-0879/CVE-2019-5087)** \n \nAn exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. An integer overflow can occur while calculating the row's allocation size, that could be exploited to corrupt memory and eventually execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file. \n \nRead the complete vulnerability advisory [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0879>) for additional information. \n\n\n### Versions tested\n\nTalos tested and confirmed that xcftools version 1.0.7 is affected by these vulnerabilities. \n \n\n\n### Coverage\n\nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rules: 43857 - 43860, 50842 - 50845 \n\n\n \n\n\n", "cvss3": {}, "published": "2019-11-21T07:31:22", "type": "talosblog", "title": "Vulnerability Spotlight: Two remote code execution vulnerabilities in Xcftools", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-5086", "CVE-2019-5087"], "modified": "2019-11-21T07:31:22", "id": "TALOSBLOG:58CABAAB1D4F3F6D8E50704BBE868869", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/CeBZQPk7mHA/xcftools-RCE-vulns-spotlight-nov-2019.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
Arbitrary Code Execution
