Debian Security Advisory

DSA-608-1 zgv -- integer overflows, unsanitised input

Date Reported:
14 Dec 2004
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 11556.
In Mitre's CVE dictionary: CVE-2004-1095, CVE-2004-0999.
More information:

Several vulnerabilities have been discovered in zgv, an SVGAlib graphics viewer for the i386 architecture. The Common Vulnerabilities and Exposures Project identifies the following problems:

  • CAN-2004-1095

    "infamous41md" discovered multiple integer overflows in zgv. Remote exploitation of an integer overflow vulnerability could allow the execution of arbitrary code.

  • CAN-2004-0999

    Mikulas Patocka discovered that malicious multiple-image (e.g. animated) GIF images can cause a segmentation fault in zgv.

For the stable distribution (woody) these problems have been fixed in version 5.5-3woody1.

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you upgrade your zgv package immediately.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Intel IA-32:

MD5 checksums of the listed files are available in the original advisory.