[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[oCERT-2009-008] Dillo integer overflow
- To: oss-security@xxxxxxxxxxxxxxxxxx, ocert-announce@xxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [oCERT-2009-008] Dillo integer overflow
- From: Andrea Barisani <lcars@xxxxxxxxx>
- Date: Fri, 3 Jul 2009 21:09:32 +0100
#2009-008 Dillo integer overflow
Description:
Dillo, an open source graphical web browser, suffers from an integer overflow
which may lead to a potentially exploitable heap overflow and result in
arbitrary code execution.
The vulnerability is triggered by HTML pages with embedded PNG images, the
Png_datainfo_callback function does not properly validate the width and
height of the image. Specific PNG images with large width and height can be
crafted to trigger the vulnerability.
Affected version:
Dillo <= 2.1
Fixed version:
Dillo >= 2.1.1
Credit: vulnerability report and PoC code received from Tielei Wang
<wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.
CVE: CVE-2009-2294
Timeline:
2009-05-21: vulnerability reported received
2009-06-18: contacted dillo maintainer
2009-06-18: maintainer requests PoC
2009-06-19: PoC is supplied
2009-06-19: maintainer provides patch
2009-06-24: revised patch is provided after reporter feedback
2009-06-25: patch is confirmed, maintainer requests one week of time to
investigate further areas of the browser
2009-07-01: dillo developer proposes security release coordination
2009-07-03: advisory release
Permalink:
http://www.ocert.org/advisories/ocert-2009-008.html
--
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team
<lcars@xxxxxxxxx> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"