Vulnerabilities > CVE-2005-3737 - Buffer Overflow vulnerability in Inkscape SVG Image
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in the SVG importer (style.cpp) of inkscape 0.41 through 0.42.2 might allow remote attackers to execute arbitrary code via a SVG file with long CSS style property values.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Exploit-Db
| description | Inkscape 0.41/0.42 SVG Image Buffer Overflow Vulnerability. CVE-2005-3737. Remote exploit for linux platform |
| id | EDB-ID:26540 |
| last seen | 2016-02-03 |
| modified | 2005-11-21 |
| published | 2005-11-21 |
| reporter | Joxean Koret |
| source | https://www.exploit-db.com/download/26540/ |
| title | Inkscape 0.41/0.42 SVG Image Buffer Overflow Vulnerability |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-916.NASL description Several vulnerabilities have been discovered in Inkscape, a vector-based drawing program. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3737 Joxean Koret discovered a buffer overflow in the SVG parsing routines that can lead to the execution of arbitrary code. - CVE-2005-3885 Javier Fernandez-Sanguino Pena noticed that the ps2epsi extension shell script uses a hard-coded temporary file making it vulnerable to symlink attacks. last seen 2020-06-01 modified 2020-06-02 plugin id 22782 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22782 title Debian DSA-916-1 : inkscape - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-916. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22782); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-3737", "CVE-2005-3885"); script_bugtraq_id(14522); script_xref(name:"DSA", value:"916"); script_name(english:"Debian DSA-916-1 : inkscape - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in Inkscape, a vector-based drawing program. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3737 Joxean Koret discovered a buffer overflow in the SVG parsing routines that can lead to the execution of arbitrary code. - CVE-2005-3885 Javier Fernandez-Sanguino Pena noticed that the ps2epsi extension shell script uses a hard-coded temporary file making it vulnerable to symlink attacks." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321501" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330894" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-916" ); script_set_attribute( attribute:"solution", value: "Upgrade the inkscape package. The old stable distribution (woody) does not contain inkscape packages. For the stable distribution (sarge) this problem has been fixed in version 0.41-4.99.sarge2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:inkscape"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/12/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"inkscape", reference:"0.41-4.99.sarge2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200511-22.NASL description The remote host is affected by the vulnerability described in GLSA-200511-22 (Inkscape: Buffer overflow) Joxean Koret has discovered that Inkscape incorrectly allocates memory when opening an SVG file, creating the possibility of a buffer overflow if the SVG file being opened is specially crafted. Impact : An attacker could entice a user into opening a maliciously crafted SVG file, allowing for the execution of arbitrary code on a machine with the privileges of the user running Inkscape. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 20266 published 2005-12-07 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20266 title GLSA-200511-22 : Inkscape: Buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200511-22. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(20266); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2005-3737"); script_xref(name:"GLSA", value:"200511-22"); script_name(english:"GLSA-200511-22 : Inkscape: Buffer overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200511-22 (Inkscape: Buffer overflow) Joxean Koret has discovered that Inkscape incorrectly allocates memory when opening an SVG file, creating the possibility of a buffer overflow if the SVG file being opened is specially crafted. Impact : An attacker could entice a user into opening a maliciously crafted SVG file, allowing for the execution of arbitrary code on a machine with the privileges of the user running Inkscape. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200511-22" ); script_set_attribute( attribute:"solution", value: "All Inkscape users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=media-gfx/inkscape-0.43'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:inkscape"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/11/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/12/07"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-gfx/inkscape", unaffected:make_list("ge 0.43"), vulnerable:make_list("lt 0.43"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Inkscape"); }
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330894
- http://cvs.sourceforge.net/viewcvs.py/inkscape/inkscape/src/style.cpp?r1=1.110&r2=1.110.2.1
- http://secunia.com/advisories/17651
- http://secunia.com/advisories/17662
- http://secunia.com/advisories/17778
- http://secunia.com/advisories/17882
- http://securityreason.com/securityalert/58
- http://www.debian.org/security/2005/dsa-916
- http://www.gentoo.org/security/en/glsa/glsa-200511-22.xml
- http://www.novell.com/linux/security/advisories/2005_28_sr.html
- http://www.securityfocus.com/bid/15507
- http://www.ubuntulinux.org/usn/usn-217-1
- http://www.vupen.com/english/advisories/2005/2511