Vulnerabilities > CVE-2004-1095 - Remote Integer Overflow vulnerability in ZGV And XZGV Image Viewer
Summary
Multiple integer overflows in (1) readbmp.c, (2) readgif.c, (3) readgif.c, (4) readmrf.c, (5) readpcx.c, (6) readpng.c,(7) readpnm.c, (8) readprf.c, (9) readtiff.c, (10) readxbm.c, (11) readxpm.c in zgv 5.8 allow remote attackers to execute arbitrary code via certain image headers that cause calculations to be overflowed and small buffers to be allocated, leading to buffer overflows. NOTE: CVE-2004-0994 and CVE-2004-1095 identify sets of bugs that only partially overlap, despite having the same developer. Therefore, they should be regarded as distinct.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 | |
OS | 11 |
Exploit-Db
description | zgv 5.5 Multiple Arbitrary Code Execution PoC Exploits. CVE-2004-1095. Remote exploit for linux platform |
id | EDB-ID:609 |
last seen | 2016-01-31 |
modified | 2004-10-28 |
published | 2004-10-28 |
reporter | infamous41md |
source | https://www.exploit-db.com/download/609/ |
title | zgv 5.5 - Multiple Arbitrary Code Execution PoC Exploits |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200411-12.NASL description The remote host is affected by the vulnerability described in GLSA-200411-12 (zgv: Multiple buffer overflows) Multiple arithmetic overflows have been detected in the image processing code of zgv. Impact : An attacker could entice a user to open a specially crafted image file, potentially resulting in execution of arbitrary code with the rights of the user running zgv. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 15646 published 2004-11-08 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15646 title GLSA-200411-12 : zgv: Multiple buffer overflows code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200411-12. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(15646); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-1095"); script_xref(name:"GLSA", value:"200411-12"); script_name(english:"GLSA-200411-12 : zgv: Multiple buffer overflows"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200411-12 (zgv: Multiple buffer overflows) Multiple arithmetic overflows have been detected in the image processing code of zgv. Impact : An attacker could entice a user to open a specially crafted image file, potentially resulting in execution of arbitrary code with the rights of the user running zgv. Workaround : There is no known workaround at this time." ); # http://www.securityfocus.com/archive/1/379472 script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/379472" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200411-12" ); script_set_attribute( attribute:"solution", value: "All zgv users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=media-gfx/zgv-5.8'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:zgv"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/11/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-gfx/zgv", unaffected:make_list("ge 5.8"), vulnerable:make_list("lt 5.8"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "zgv"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-614.NASL description Luke last seen 2020-06-01 modified 2020-06-02 plugin id 16020 published 2004-12-21 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16020 title Debian DSA-614-1 : xzgv - integer overflows code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-614. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(16020); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0994", "CVE-2004-1095"); script_xref(name:"DSA", value:"614"); script_name(english:"Debian DSA-614-1 : xzgv - integer overflows"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Luke 'infamous41md' discovered multiple vulnerabilities in xzgv, a picture viewer for X11 with a thumbnail-based selector. Remote exploitation of an integer overflow vulnerability could allow the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-614" ); script_set_attribute( attribute:"solution", value: "Upgrade the xzgv package immediately. For the stable distribution (woody) these problems have been fixed in version 0.7-6woody2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xzgv"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/12/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/21"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"xzgv", reference:"0.7-6woody2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-608.NASL description Several vulnerabilities have been discovered in zgv, an SVGAlib graphics viewer for the i386 architecture. The Common Vulnerabilities and Exposures Project identifies the following problems : - CAN-2004-1095 last seen 2020-06-01 modified 2020-06-02 plugin id 15953 published 2004-12-14 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15953 title Debian DSA-608-1 : zgv - integer overflows, unsanitised input code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-608. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15953); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0999", "CVE-2004-1095"); script_bugtraq_id(11556); script_xref(name:"DSA", value:"608"); script_name(english:"Debian DSA-608-1 : zgv - integer overflows, unsanitised input"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in zgv, an SVGAlib graphics viewer for the i386 architecture. The Common Vulnerabilities and Exposures Project identifies the following problems : - CAN-2004-1095 'infamous41md' discovered multiple integer overflows in zgv. Remote exploitation of an integer overflow vulnerability could allow the execution of arbitrary code. - CAN-2004-0999 Mikulas Patocka discovered that malicious multiple-image (e.g. animated) GIF images can cause a segmentation fault in zgv." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-608" ); script_set_attribute( attribute:"solution", value: "Upgrade the zgv package immediately. For the stable distribution (woody) these problems have been fixed in version 5.5-3woody1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zgv"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"zgv", reference:"5.5-3woody2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://marc.info/?l=bugtraq&m=109886210702781&w=2
- http://marc.info/?l=bugtraq&m=109898111915661&w=2
- http://www.gentoo.org/security/en/glsa/glsa-200411-12.xml
- http://www.securityfocus.com/bid/11556
- http://www.svgalib.org/rus/zgv/
- http://www.svgalib.org/rus/zgv/zgv-5.8-integer-overflow-fix.diff
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17871