From 46df580663c61012890272e6573d405243ccc24a Mon Sep 17 00:00:00 2001 From: Christian Weisgerber Date: Thu, 20 Oct 2005 13:52:35 +0000 Subject: [PATCH] Document x11/xloadimage buffer overflows in NIFF image title handling. --- security/vuxml/vuln.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index cc92a4c308df..30d294d50a26 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,45 @@ Note: Please add new entries to the beginning of this file. --> + + xloadimage -- buffer overflows in NIFF image title handling + + + xloadimage + 4.1.15 + + + + +

Ariel Berkman reports:

+
+

Unlike most of the supported image formats in xloadimage, + the NIFF image format can store a title name of arbitrary + length as part of the image file.

+

When xloadimage is processing a loaded image, it is + creating a new Image object and then writing the processed + image to it. At that point, it will also copy the title + from the old image to the newly created image.

+

The 'zoom', 'reduce', and 'rotate' functions are using + a fixed length buffer to construct the new title name + when an image processing is done. Since the title name + in a NIFF format is of varying length, and there are + insufficient buffer size validations, the buffer can + be overflowed.

+
+ + + + 15051 + CVE-2005-3178 + http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&w=2 + + + 2005-10-05 + 2005-10-20 + + + snort -- Back Orifice preprocessor buffer overflow vulnerability