Debian Security Advisory
DSA-608-1 zgv -- integer overflows, unsanitised input
- Date Reported:
- 14 Dec 2004
- Affected Packages:
- zgv
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 11556.
In Mitre's CVE dictionary: CVE-2004-1095, CVE-2004-0999. - More information:
-
Several vulnerabilities have been discovered in zgv, an SVGAlib graphics viewer for the i386 architecture. The Common Vulnerabilities and Exposures Project identifies the following problems:
- CAN-2004-1095
"infamous41md" discovered multiple integer overflows in zgv. Remote exploitation of an integer overflow vulnerability could allow the execution of arbitrary code.
- CAN-2004-0999
Mikulas Patocka discovered that malicious multiple-image (e.g. animated) GIF images can cause a segmentation fault in zgv.
For the stable distribution (woody) these problems have been fixed in version 5.5-3woody1.
For the unstable distribution (sid) these problems will be fixed soon.
We recommend that you upgrade your zgv package immediately.
- CAN-2004-1095
- Fixed in:
-
Debian GNU/Linux 3.0 (woody)
- Source:
- http://security.debian.org/pool/updates/main/z/zgv/zgv_5.5-3woody2.dsc
- http://security.debian.org/pool/updates/main/z/zgv/zgv_5.5-3woody2.diff.gz
- http://security.debian.org/pool/updates/main/z/zgv/zgv_5.5.orig.tar.gz
- http://security.debian.org/pool/updates/main/z/zgv/zgv_5.5-3woody2.diff.gz
- Intel IA-32:
- http://security.debian.org/pool/updates/main/z/zgv/zgv_5.5-3woody2_i386.deb
MD5 checksums of the listed files are available in the original advisory.