Vulnerabilities > CVE-2002-1277 - Buffer Overflow vulnerability in WindowMaker Image Handling
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in Window Maker (wmaker) 0.80.0 and earlier may allow remote attackers to execute arbitrary code via a certain image file that is not properly handled when Window Maker uses width and height information to allocate a buffer.
Vulnerable Configurations
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2002-085.NASL description Al Viro discovered a vulnerability in the WindowMaker window manager. A function used to load images, for example when configuring a new background image or previewing themes, contains a buffer overflow. The function calculates the amount of memory necessary to load the image by doing some multiplication but does not check the results of this multiplication, which may not fit into the destination variable, resulting in a buffer overflow when the image is loaded. last seen 2020-06-01 modified 2020-06-02 plugin id 13983 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13983 title Mandrake Linux Security Advisory : WindowMaker (MDKSA-2002:085) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2002:085. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13983); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-1277"); script_xref(name:"MDKSA", value:"2002:085"); script_name(english:"Mandrake Linux Security Advisory : WindowMaker (MDKSA-2002:085)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Al Viro discovered a vulnerability in the WindowMaker window manager. A function used to load images, for example when configuring a new background image or previewing themes, contains a buffer overflow. The function calculates the amount of memory necessary to load the image by doing some multiplication but does not check the results of this multiplication, which may not fit into the destination variable, resulting in a buffer overflow when the image is loaded." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:WindowMaker"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:WindowMaker-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:WindowMaker-static-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwraster2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwraster2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwraster2-static-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/12/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"WindowMaker-0.62.1-18.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"WindowMaker-devel-0.62.1-18.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"WindowMaker-0.64.0-8.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"WindowMaker-devel-0.64.0-8.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"libwraster2-0.64.0-8.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"libwraster2-devel-0.64.0-8.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"WindowMaker-0.65.1-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"WindowMaker-devel-0.65.1-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"libwraster2-0.65.1-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"libwraster2-devel-0.65.1-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"WindowMaker-0.80.0-5.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"WindowMaker-devel-0.80.0-5.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"WindowMaker-static-devel-0.80.0-5.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libwraster2-0.80.0-5.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libwraster2-devel-0.80.0-5.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libwraster2-static-devel-0.80.0-5.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"WindowMaker-0.80.1-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"WindowMaker-devel-0.80.1-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"WindowMaker-static-devel-0.80.1-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libwraster2-0.80.1-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libwraster2-devel-0.80.1-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libwraster2-static-devel-0.80.1-2.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-009.NASL description Updated packages are available to fix a vulnerability in Window Maker. [Updated 06 Feb 2003] Fixed packages for Advanced Workstation 2.1 have been added. [Updated 31 Mar 2003] New erratum packages are available to fix a bug in the original security patch. [Updated 18 Jun 2003] The last update did not include the Advanced Workstation 2.1 packages, these have now been added back. Window Maker is an X11 window manager that emulates the look and feel of the NeXTSTEP graphical user interface. Al Viro found a buffer overflow in Window Maker 0.80.0 and earlier which may allow remote attackers to execute arbitrary code through a certain image file that is not properly handled when Window Maker uses width and height information to allocate a buffer. A user can exploit this vulnerability, for example, by opening a malicious theme. Users of Window Maker are advised to upgrade to these updated packages which contain a patch to correct this vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 12350 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12350 title RHEL 2.1 : WindowMaker (RHSA-2003:009) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:009. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12350); script_version ("1.18"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2002-1277"); script_xref(name:"RHSA", value:"2003:009"); script_name(english:"RHEL 2.1 : WindowMaker (RHSA-2003:009)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated packages are available to fix a vulnerability in Window Maker. [Updated 06 Feb 2003] Fixed packages for Advanced Workstation 2.1 have been added. [Updated 31 Mar 2003] New erratum packages are available to fix a bug in the original security patch. [Updated 18 Jun 2003] The last update did not include the Advanced Workstation 2.1 packages, these have now been added back. Window Maker is an X11 window manager that emulates the look and feel of the NeXTSTEP graphical user interface. Al Viro found a buffer overflow in Window Maker 0.80.0 and earlier which may allow remote attackers to execute arbitrary code through a certain image file that is not properly handled when Window Maker uses width and height information to allocate a buffer. A user can exploit this vulnerability, for example, by opening a malicious theme. Users of Window Maker are advised to upgrade to these updated packages which contain a patch to correct this vulnerability." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-1277" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:009" ); script_set_attribute( attribute:"solution", value:"Update the affected WindowMaker and / or WindowMaker-libs packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:WindowMaker"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:WindowMaker-libs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/11/12"); script_set_attribute(attribute:"patch_publication_date", value:"2003/06/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:009"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"WindowMaker-0.65.1-4.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"WindowMaker-libs-0.65.1-4.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "WindowMaker / WindowMaker-libs"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-190.NASL description Al Viro found a problem in the image handling code use in Window Maker, a popular NEXTSTEP like window manager. When creating an image it would allocate a buffer by multiplying the image width and height, but did not check for an overflow. This makes it possible to overflow the buffer. This could be exploited by using specially crafted image files (for example when previewing themes). last seen 2020-06-01 modified 2020-06-02 plugin id 15027 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15027 title Debian DSA-190-1 : wmaker - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-190. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15027); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2002-1277"); script_xref(name:"DSA", value:"190"); script_name(english:"Debian DSA-190-1 : wmaker - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Al Viro found a problem in the image handling code use in Window Maker, a popular NEXTSTEP like window manager. When creating an image it would allocate a buffer by multiplying the image width and height, but did not check for an overflow. This makes it possible to overflow the buffer. This could be exploited by using specially crafted image files (for example when previewing themes)." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-190" ); script_set_attribute( attribute:"solution", value: "This problem has been fixed in version 0.80.0-4.1 for the current stable distribution (woody). Packages for the mipsel architecture are not yet available." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wmaker"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/11/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/11/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libwings-dev", reference:"0.80.0-4.1")) flag++; if (deb_check(release:"3.0", prefix:"libwmaker0-dev", reference:"0.80.0-4.1")) flag++; if (deb_check(release:"3.0", prefix:"libwraster2", reference:"0.80.0-4.1")) flag++; if (deb_check(release:"3.0", prefix:"libwraster2-dev", reference:"0.80.0-4.1")) flag++; if (deb_check(release:"3.0", prefix:"wmaker", reference:"0.80.0-4.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000548
- http://www.debian.org/security/2002/dsa-190
- http://www.iss.net/security_center/static/10560.php
- http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-085.php
- http://www.redhat.com/support/errata/RHSA-2003-009.html
- http://www.redhat.com/support/errata/RHSA-2003-043.html
- http://www.securityfocus.com/bid/6119