Vulnerabilities > CVE-2005-3318 - Stack Buffer Overflow vulnerability in Jed Wing CHM Lib
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in the _chm_decompress_block function in CHM lib (chmlib) before 0.37, as used in products such as KchmViewer, allows attackers to execute arbitrary code, a different vulnerability than CVE-2005-2930.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-886.NASL description Several vulnerabilities have been discovered in chmlib, a library for dealing with CHM format files. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-2659 Palasik Sandor discovered a buffer overflow in the LZX decompression method. - CVE-2005-2930 A buffer overflow has been discovered that could lead to the execution of arbitrary code. - CVE-2005-3318 Sven Tantau discovered a buffer overflow that could lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 22752 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22752 title Debian DSA-886-1 : chmlib - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-886. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22752); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-2659", "CVE-2005-2930", "CVE-2005-3318"); script_bugtraq_id(15211); script_xref(name:"DSA", value:"886"); script_name(english:"Debian DSA-886-1 : chmlib - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in chmlib, a library for dealing with CHM format files. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-2659 Palasik Sandor discovered a buffer overflow in the LZX decompression method. - CVE-2005-2930 A buffer overflow has been discovered that could lead to the execution of arbitrary code. - CVE-2005-3318 Sven Tantau discovered a buffer overflow that could lead to the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-886" ); script_set_attribute( attribute:"solution", value: "Upgrade the chmlib packages. The old stable distribution (woody) does not contain chmlib packages. For the stable distribution (sarge) these problems have been fixed in version 0.35-6sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:chmlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/11/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"chmlib", reference:"0.35-6sarge1")) flag++; if (deb_check(release:"3.1", prefix:"chmlib-bin", reference:"0.35-6sarge1")) flag++; if (deb_check(release:"3.1", prefix:"chmlib-dev", reference:"0.35-6sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200511-23.NASL description The remote host is affected by the vulnerability described in GLSA-200511-23 (chmlib, KchmViewer: Stack-based buffer overflow) Sven Tantau reported about a buffer overflow vulnerability in chmlib. The function last seen 2020-06-01 modified 2020-06-02 plugin id 20267 published 2005-12-07 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20267 title GLSA-200511-23 : chmlib, KchmViewer: Stack-based buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200511-23. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(20267); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2005-3318"); script_xref(name:"GLSA", value:"200511-23"); script_name(english:"GLSA-200511-23 : chmlib, KchmViewer: Stack-based buffer overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200511-23 (chmlib, KchmViewer: Stack-based buffer overflow) Sven Tantau reported about a buffer overflow vulnerability in chmlib. The function '_chm_decompress_block()' does not properly perform boundary checking, resulting in a stack-based buffer overflow. Impact : By convincing a user to open a specially crafted ITSS or CHM file, using KchmViewer or a program makes use of chmlib, a remote attacker could execute arbitrary code with the privileges of the user running the software. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200511-23" ); script_set_attribute( attribute:"solution", value: "All chmlib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-libs/chmlib-0.37.4' All KchmViewer users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-text/kchmviewer-1.1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:chmlib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:kchmviewer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/11/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/12/07"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-text/kchmviewer", unaffected:make_list("ge 1.1"), vulnerable:make_list("lt 1.1"))) flag++; if (qpkg_check(package:"dev-libs/chmlib", unaffected:make_list("ge 0.37.4"), vulnerable:make_list("lt 0.37.4"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "chmlib / KchmViewer"); }
References
- http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0536.html
- http://morte.jedrea.com/~jedwin/projects/chmlib/
- http://secunia.com/advisories/17325
- http://secunia.com/advisories/17480
- http://secunia.com/advisories/17775
- http://secunia.com/advisories/17776
- http://www.gentoo.org/security/en/glsa/glsa-200511-23.xml
- http://www.novell.com/linux/security/advisories/2005_25_sr.html
- http://www.osvdb.org/20335
- http://www.securityfocus.com/bid/15211
- http://www.sven-tantau.de/public_files/chmlib/chmlib_20051126.txt
- http://www.vupen.com/english/advisories/2005/2207
- https://exchange.xforce.ibmcloud.com/vulnerabilities/22885