Another image problem, this time for Linux
- — 17 September, 2004 07:38
Another image-based security hole has been found, sparking a flurry of patches from Linux vendors.
Exploitation in GdkPixBuf can be used to caused a denial of service or provide remote system access. There are several vulnerabilities here: one is a variant of the previous discovered Qt hole in bitmap images that can make an application run in an infinite loop.
A second occurs in the "pixbuf_create_from_xpm()" function when decoding XPM images. A specially crafted image can cause a buffer overflow. A third is a boundary error in the "xpm_extract_color()" function, again when decoding XPM images. This can also cause a buffer overlow. And lastly, an input validation error in ICO image decoding can cause an integer overflow, causing a crash.
Secunia says in its advisory that there is no official updated version of GdkPixBuf. However, so far, Red Hat, Debian, Fedora and MandrakeSoft have all put out updates and patches.
Earlier this week Microsoft reported a security flaw in the way many of its applications process JPEG images -- which could allow an attacker to gain control over a computer running the software.