Vulnerabilities > CVE-2006-4514 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Libgsf
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Heap-based buffer overflow in the ole_info_read_metabat function in Gnome Structured File library (libgsf) 1.14.0, and other versions before 1.14.2, allows context-dependent attackers to execute arbitrary code via a large num_metabat value in an OLE document, which causes the ole_init_info function to allocate insufficient memory.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-391-1.NASL description A heap overflow was discovered in the OLE processing code in libgsf. If a user were tricked into opening a specially crafted OLE document, an attacker could execute arbitrary code with the user last seen 2020-06-01 modified 2020-06-02 plugin id 27976 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27976 title Ubuntu 5.10 / 6.06 LTS / 6.10 : libgsf vulnerability (USN-391-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-391-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(27976); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:33:01"); script_cve_id("CVE-2006-4514"); script_bugtraq_id(21358); script_xref(name:"USN", value:"391-1"); script_name(english:"Ubuntu 5.10 / 6.06 LTS / 6.10 : libgsf vulnerability (USN-391-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "A heap overflow was discovered in the OLE processing code in libgsf. If a user were tricked into opening a specially crafted OLE document, an attacker could execute arbitrary code with the user's privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/391-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-1-113"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-1-113-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-1-114"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-1-114-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-1-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-1-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-1-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-gnome-1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-gnome-1-113"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-gnome-1-113-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-gnome-1-114"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-gnome-1-114-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-gnome-1-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgsf-gnome-1-dev"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(5\.10|6\.06|6\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.10 / 6.06 / 6.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"5.10", pkgname:"libgsf-1", pkgver:"1.12.3-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"libgsf-1-dbg", pkgver:"1.12.3-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"libgsf-1-dev", pkgver:"1.12.3-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"libgsf-gnome-1", pkgver:"1.12.3-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"libgsf-gnome-1-dbg", pkgver:"1.12.3-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"libgsf-gnome-1-dev", pkgver:"1.12.3-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libgsf-1-113", pkgver:"1.13.99-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libgsf-1-113-dbg", pkgver:"1.13.99-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libgsf-1-common", pkgver:"1.13.99-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libgsf-1-dev", pkgver:"1.13.99-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libgsf-bin", pkgver:"1.13.99-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libgsf-gnome-1-113", pkgver:"1.13.99-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libgsf-gnome-1-113-dbg", pkgver:"1.13.99-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libgsf-gnome-1-dev", pkgver:"1.13.99-0ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libgsf-1-114", pkgver:"1.14.1-2ubuntu1.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libgsf-1-114-dbg", pkgver:"1.14.1-2ubuntu1.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libgsf-1-common", pkgver:"1.14.1-2ubuntu1.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libgsf-1-dev", pkgver:"1.14.1-2ubuntu1.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libgsf-bin", pkgver:"1.14.1-2ubuntu1.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libgsf-gnome-1-114", pkgver:"1.14.1-2ubuntu1.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libgsf-gnome-1-114-dbg", pkgver:"1.14.1-2ubuntu1.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libgsf-gnome-1-dev", pkgver:"1.14.1-2ubuntu1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libgsf-1 / libgsf-1-113 / libgsf-1-113-dbg / libgsf-1-114 / etc"); }NASL family SuSE Local Security Checks NASL id SUSE9_11342.NASL description Specially crafted OLE documents enabled attackers to use a heap buffer overlow for executing code. (CVE-2006-4514) last seen 2020-06-01 modified 2020-06-02 plugin id 41108 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41108 title SuSE9 Security Update : libgsf (YOU Patch Number 11342) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0011.NASL description Updated libgsf packages that fix a buffer overflow flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNOME Structured File Library is a utility library for reading and writing structured file formats. A heap based buffer overflow flaw was found in the way GNOME Structured File Library processes and certain OLE documents. If an person opened a specially crafted OLE file, it could cause the client application to crash or execute arbitrary code. (CVE-2006-4514) Users of GNOME Structured File Library should upgrade to these updated packages, which contain a backported patch that resolves this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24024 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24024 title CentOS 3 / 4 : libgsf (CESA-2007:0011) NASL family SuSE Local Security Checks NASL id SUSE_LIBGSF-2363.NASL description Specially crafted OLE documents enabled attackers to use a heap buffer overlow for executing code. (CVE-2006-4514) last seen 2020-06-01 modified 2020-06-02 plugin id 29501 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29501 title SuSE 10 Security Update : libgsf (ZYPP Patch Number 2363) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0011.NASL description From Red Hat Security Advisory 2007:0011 : Updated libgsf packages that fix a buffer overflow flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNOME Structured File Library is a utility library for reading and writing structured file formats. A heap based buffer overflow flaw was found in the way GNOME Structured File Library processes and certain OLE documents. If an person opened a specially crafted OLE file, it could cause the client application to crash or execute arbitrary code. (CVE-2006-4514) Users of GNOME Structured File Library should upgrade to these updated packages, which contain a backported patch that resolves this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67437 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67437 title Oracle Linux 3 / 4 : libgsf (ELSA-2007-0011) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-220.NASL description 'infamous41md last seen 2020-06-01 modified 2020-06-02 plugin id 24604 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24604 title Mandrake Linux Security Advisory : libgsf (MDKSA-2006:220) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200612-13.NASL description The remote host is affected by the vulnerability described in GLSA-200612-13 (libgsf: Buffer overflow) last seen 2020-06-01 modified 2020-06-02 plugin id 23865 published 2006-12-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23865 title GLSA-200612-13 : libgsf: Buffer overflow NASL family SuSE Local Security Checks NASL id SUSE_LIBGSF-2364.NASL description Specially crafted OLE documents enabled attackers to use a heap buffer overlow for executing code (CVE-2006-4514). last seen 2020-06-01 modified 2020-06-02 plugin id 27324 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27324 title openSUSE 10 Security Update : libgsf (libgsf-2364) NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_076.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:076 (libgsf). The libgsf library is used by various GNOME programs to handle for instance OLE2 data streams. Specially crafted OLE documents enabled attackers to use a heap buffer overflow for potentially executing code. This issue is tracked by the Mitre CVE ID CVE-2006-4514. last seen 2019-10-28 modified 2007-02-18 plugin id 24451 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24451 title SUSE-SA:2006:076: libgsf NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0011.NASL description Updated libgsf packages that fix a buffer overflow flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The GNOME Structured File Library is a utility library for reading and writing structured file formats. A heap based buffer overflow flaw was found in the way GNOME Structured File Library processes and certain OLE documents. If an person opened a specially crafted OLE file, it could cause the client application to crash or execute arbitrary code. (CVE-2006-4514) Users of GNOME Structured File Library should upgrade to these updated packages, which contain a backported patch that resolves this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24211 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24211 title RHEL 3 / 4 : libgsf (RHSA-2007:0011)
Oval
| accepted | 2013-04-29T04:19:15.688-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | 4.2, allows context-dependent attackers to execute arbitrary code via a large num_metabat value in an OLE document, which causes the ole_init_info function to allocate insufficient memory. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:9413 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Heap-based buffer overflow in the ole_info_read_metabat function in Gnome Structured File library (libgsf) 1.14.0, and other versions before 1.14.2, allows context-dependent attackers to execute arbitrary code via a large num_metabat value in an OLE document, which causes the ole_init_info function to allocate insufficient memory. | ||||||||||||||||||||
| version | 25 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- ftp://patches.sgi.com/support/free/security/advisories/20070101-01-P.asc
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=446
- http://lists.suse.com/archive/suse-security-announce/2006-Dec/0005.html
- http://rhn.redhat.com/errata/RHSA-2007-0011.html
- http://secunia.com/advisories/23164
- http://secunia.com/advisories/23166
- http://secunia.com/advisories/23167
- http://secunia.com/advisories/23227
- http://secunia.com/advisories/23337
- http://secunia.com/advisories/23352
- http://secunia.com/advisories/23355
- http://secunia.com/advisories/23686
- http://secunia.com/advisories/23920
- http://security.gentoo.org/glsa/glsa-200612-13.xml
- http://www.debian.org/security/2006/dsa-1221
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:220
- http://www.securityfocus.com/archive/1/454389/30/9210/threaded
- http://www.securityfocus.com/bid/21358
- http://www.ubuntu.com/usn/usn-391-1
- http://www.vupen.com/english/advisories/2006/4784
- http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30611
- https://issues.rpath.com/browse/RPL-857
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9413