Vulnerabilities > CVE-2009-2660 - Numeric Errors vulnerability in JUN Furuse Camlimages 2.2
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Multiple integer overflows in CamlImages 2.2 might allow context-dependent attackers to execute arbitrary code via images containing large width and height values that trigger a heap-based buffer overflow, related to (1) crafted GIF files (gifread.c) and (2) crafted JPEG files (jpegread.c), a different vulnerability than CVE-2009-2295.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1912.NASL description It was discovered that CamlImages, an open source image processing library, suffers from several integer overflows, which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of TIFF files. It also expands the patch for CVE-2009-2660 to cover another potential overflow in the processing of JPEG images. last seen 2020-06-01 modified 2020-06-02 plugin id 44777 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44777 title Debian DSA-1912-1 : camlimages - integer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1912. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44777); script_version("1.11"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-2660", "CVE-2009-3296"); script_bugtraq_id(36713); script_xref(name:"DSA", value:"1912"); script_name(english:"Debian DSA-1912-1 : camlimages - integer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that CamlImages, an open source image processing library, suffers from several integer overflows, which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of TIFF files. It also expands the patch for CVE-2009-2660 to cover another potential overflow in the processing of JPEG images." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-2660" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1912" ); script_set_attribute( attribute:"solution", value: "Upgrade the camlimages package. For the oldstable distribution (etch), this problem has been fixed in version 2.20-8+etch3. For the stable distribution (lenny), this problem has been fixed in version 1:2.2.0-4+lenny3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:camlimages"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"libcamlimages-ocaml", reference:"2.20-8+etch3")) flag++; if (deb_check(release:"4.0", prefix:"libcamlimages-ocaml-dev", reference:"2.20-8+etch3")) flag++; if (deb_check(release:"4.0", prefix:"libcamlimages-ocaml-doc", reference:"2.20-8+etch3")) flag++; if (deb_check(release:"5.0", prefix:"libcamlimages-ocaml", reference:"1:2.2.0-4+lenny3")) flag++; if (deb_check(release:"5.0", prefix:"libcamlimages-ocaml-dev", reference:"1:2.2.0-4+lenny3")) flag++; if (deb_check(release:"5.0", prefix:"libcamlimages-ocaml-doc", reference:"1:2.2.0-4+lenny3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201006-02.NASL description The remote host is affected by the vulnerability described in GLSA-201006-02 (CamlImages: User-assisted execution of arbitrary code) Tielei Wang reported multiple integer overflows, possibly leading to heap-based buffer overflows in the (1) read_png_file() and read_png_file_as_rgb24() functions, when processing a PNG image (CVE-2009-2295) and (2) gifread.c and jpegread.c files when processing GIF or JPEG images (CVE-2009-2660). Other integer overflows were also found in tiffread.c (CVE-2009-3296). Impact : A remote attacker could entice a user to open a specially crafted, overly large PNG, GIF, TIFF, or JPEG image using an application that uses the CamlImages library, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 46769 published 2010-06-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46769 title GLSA-201006-02 : CamlImages: User-assisted execution of arbitrary code code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201006-02. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(46769); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2009-2295", "CVE-2009-2660", "CVE-2009-3296"); script_bugtraq_id(35556, 36713); script_xref(name:"GLSA", value:"201006-02"); script_name(english:"GLSA-201006-02 : CamlImages: User-assisted execution of arbitrary code"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201006-02 (CamlImages: User-assisted execution of arbitrary code) Tielei Wang reported multiple integer overflows, possibly leading to heap-based buffer overflows in the (1) read_png_file() and read_png_file_as_rgb24() functions, when processing a PNG image (CVE-2009-2295) and (2) gifread.c and jpegread.c files when processing GIF or JPEG images (CVE-2009-2660). Other integer overflows were also found in tiffread.c (CVE-2009-3296). Impact : A remote attacker could entice a user to open a specially crafted, overly large PNG, GIF, TIFF, or JPEG image using an application that uses the CamlImages library, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201006-02" ); script_set_attribute( attribute:"solution", value: "All CamlImages users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-ml/camlimages-3.0.2" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:camlimages"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/06/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-ml/camlimages", unaffected:make_list("ge 3.0.2"), vulnerable:make_list("lt 3.0.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "CamlImages"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1857.NASL description Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of JPEG and GIF Images, while DSA 1832-1addressed the issue with PNG images. last seen 2020-06-01 modified 2020-06-02 plugin id 44722 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44722 title Debian DSA-1857-1 : camlimages - integer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1857. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44722); script_version("1.9"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-2660"); script_xref(name:"DSA", value:"1857"); script_name(english:"Debian DSA-1857-1 : camlimages - integer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of JPEG and GIF Images, while DSA 1832-1addressed the issue with PNG images." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540146" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1857" ); script_set_attribute( attribute:"solution", value: "Upgrade the camlimages package. For the oldstable distribution (etch), this problem has been fixed in version 2.20-8+etch2. For the stable distribution (lenny), this problem has been fixed in version 1:2.2.0-4+lenny2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:camlimages"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"libcamlimages-ocaml", reference:"2.20-8+etch2")) flag++; if (deb_check(release:"4.0", prefix:"libcamlimages-ocaml-dev", reference:"2.20-8+etch2")) flag++; if (deb_check(release:"4.0", prefix:"libcamlimages-ocaml-doc", reference:"2.20-8+etch2")) flag++; if (deb_check(release:"5.0", prefix:"libcamlimages-ocaml", reference:"1:2.2.0-4+lenny2")) flag++; if (deb_check(release:"5.0", prefix:"libcamlimages-ocaml-dev", reference:"1:2.2.0-4+lenny2")) flag++; if (deb_check(release:"5.0", prefix:"libcamlimages-ocaml-doc", reference:"1:2.2.0-4+lenny2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- https://bugs.gentoo.org/attachment.cgi?id=199108
- http://www.openwall.com/lists/oss-security/2009/07/25/2
- https://bugs.gentoo.org/show_bug.cgi?id=276235
- http://www.securityfocus.com/bid/35999
- http://www.debian.org/security/2009/dsa-1857
- ftp://ftp.debian.org/debian/pool/main/c/camlimages/camlimages_3.0.1-3.diff.gz
- http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.20-8+etch3.diff.gz
- http://www.debian.org/security/2009/dsa-1912
- ftp://ftp.debian.org/debian/pool/main/c/camlimages/camlimages_2.2.0-4+lenny2.diff.gz
- http://secunia.com/advisories/37067
- ftp://ftp.debian.org/debian/pool/main/c/camlimages/camlimages_2.20-8+etch2.diff.gz
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540146
- http://security.debian.org/pool/updates/main/c/camlimages/camlimages_2.2.0-4+lenny3.diff.gz
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52649
- http://camlcvs.inria.fr/cgi-bin/cvsweb.cgi/bazar-ocaml/camlimages/src/jpegread.c.diff?r1=1.3%3Br2=1.4%3Bsortby=date%3Bf=h