Vulnerabilities > CVE-2007-0619 - Buffer Overflow vulnerability in CHM Lib
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
chmlib before 0.39 allows user-assisted remote attackers to execute arbitrary code via a crafted page block length in a CHM file, which triggers memory corruption. Update to version 0.39.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_CHMLIB-2595.NASL description This update of chmlib fixes a vulnerability that allowed the execution of arbitrary code. CVE-2007-0619 last seen 2020-06-01 modified 2020-06-02 plugin id 27172 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27172 title openSUSE 10 Security Update : chmlib (chmlib-2595) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update chmlib-2595. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27172); script_version ("1.12"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_name(english:"openSUSE 10 Security Update : chmlib (chmlib-2595)"); script_summary(english:"Check for the chmlib-2595 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update of chmlib fixes a vulnerability that allowed the execution of arbitrary code. CVE-2007-0619" ); script_set_attribute( attribute:"solution", value:"Update the affected chmlib packages." ); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chmlib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chmlib-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2007/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.2", reference:"chmlib-0.39-1.2") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"chmlib-devel-0.39-1.2") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "chmlib"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200702-12.NASL description The remote host is affected by the vulnerability described in GLSA-200702-12 (CHMlib: User-assisted remote execution of arbitrary code) When certain CHM files that contain tables and objects stored in pages are parsed by CHMlib, an unsanitized value is passed to the alloca() function resulting in a shift of the stack pointer to arbitrary memory locations. Impact : An attacker could entice a user to open a specially crafted CHM file, resulting in the execution of arbitrary code with the permissions of the user viewing the file. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 24732 published 2007-02-28 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24732 title GLSA-200702-12 : CHMlib: User-assisted remote execution of arbitrary code
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=468
- http://morte.jedrea.com/~jedwin/projects/chmlib/
- http://secunia.com/advisories/23975
- http://secunia.com/advisories/24335
- http://security.gentoo.org/glsa/glsa-200702-12.xml
- http://securitytracker.com/id?1017565
- http://www.novell.com/linux/security/advisories/2007_3_sr.html
- http://www.securityfocus.com/bid/22258
- http://www.vupen.com/english/advisories/2007/0361