Executive Summary
| Summary | |
|---|---|
| Title | New netpbm-free packages fix denial of service |
| Informations | |||
|---|---|---|---|
| Name | DSA-2026 | First vendor Publication | 2010-04-02 |
| Vendor | Debian | Last vendor Modification | 2010-04-02 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Marc Schoenefeld discovered a stack-based buffer overflow in the XPM reader implementation in netpbm-free, a suite of image manipulation utilities. An attacker could cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value. For the stable distribution (lenny), this problem has been fixed in version 2:10.0-12+lenny1. For the testing distribution (squeeze), this problem has been fixed in version 2:10.0-12.1+squeeze1. For the unstable distribution (sid), this problem will be fixed soon. Due to a problem with the archive system it is not possible to release all architectures. The missing architectures will be installed into the archive once they become available. We recommend that you upgrade your netpbm-free package. |
Original Source
| Url : http://www.debian.org/security/2010/dsa-2026 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13348 | |||
| Oval ID: | oval:org.mitre.oval:def:13348 | ||
| Title: | USN-934-1 -- netpbm-free vulnerability | ||
| Description: | Marc Schoenefeld discovered a buffer overflow in Netpbm when loading certain images. If a user or automated system were tricked into opening a specially crafted XPM image, a remote attacker could crash Netpbm. The default compiler options for affected releases should reduce the vulnerability to a denial of service. | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-934-1 CVE-2009-4274 | Version: | 5 |
| Platform(s): | Ubuntu 8.04 Ubuntu 9.04 Ubuntu 9.10 | Product(s): | netpbm-free |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:18400 | |||
| Oval ID: | oval:org.mitre.oval:def:18400 | ||
| Title: | DSA-2026-1 netpbm-free - buffer overflow | ||
| Description: | Marc Schoenefeld discovered a stack-based buffer overflow in the XPM reader implementation in netpbm-free, a suite of image manipulation utilities. An attacker could cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2026-1 CVE-2009-4274 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | netpbm-free |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:6850 | |||
| Oval ID: | oval:org.mitre.oval:def:6850 | ||
| Title: | DSA-2026 netpbm-free -- stack-based buffer overflow | ||
| Description: | Marc Schoenefeld discovered a stack-based buffer overflow in the XPM reader implementation in netpbm-free, a suite of image manipulation utilities. An attacker could cause a denial of service or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2026 CVE-2009-4274 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | netpbm-free |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-07-30 | Name : CentOS Update for netpbm CESA-2011:1811 centos4 x86_64 File : nvt/gb_CESA-2011_1811_netpbm_centos4_x86_64.nasl |
| 2012-07-30 | Name : CentOS Update for netpbm CESA-2011:1811 centos5 x86_64 File : nvt/gb_CESA-2011_1811_netpbm_centos5_x86_64.nasl |
| 2011-12-16 | Name : CentOS Update for netpbm CESA-2011:1811 centos4 i386 File : nvt/gb_CESA-2011_1811_netpbm_centos4_i386.nasl |
| 2011-12-16 | Name : CentOS Update for netpbm CESA-2011:1811 centos5 i386 File : nvt/gb_CESA-2011_1811_netpbm_centos5_i386.nasl |
| 2011-12-16 | Name : RedHat Update for netpbm RHSA-2011:1811-01 File : nvt/gb_RHSA-2011_1811-01_netpbm.nasl |
| 2010-04-30 | Name : Ubuntu Update for netpbm-free vulnerability USN-934-1 File : nvt/gb_ubuntu_USN_934_1.nasl |
| 2010-02-19 | Name : Mandriva Update for netpbm MDVSA-2010:039 (netpbm) File : nvt/gb_mandriva_MDVSA_2010_039.nasl |
| 2010-02-17 | Name : NetPBM 'xpmtoppm' Converter Buffer Overflow Vulnerability File : nvt/gb_netpbm_xpmtoppm_bof_vuln.nasl |
| 2010-01-22 | Name : Mandriva Update for dbus-glib MDVA-2010:039 (dbus-glib) File : nvt/gb_mandriva_MDVA_2010_039.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 62270 | NetPBM xpmtoppm XPM File Handling Overflow |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-11-13 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201311-08.nasl - Type : ACT_GATHER_INFO |
| 2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-1811.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20111212_netpbm_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
| 2011-12-13 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-1811.nasl - Type : ACT_GATHER_INFO |
| 2011-12-13 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-1811.nasl - Type : ACT_GATHER_INFO |
| 2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libnetpbm-6852.nasl - Type : ACT_GATHER_INFO |
| 2010-04-30 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-934-1.nasl - Type : ACT_GATHER_INFO |
| 2010-04-03 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2026.nasl - Type : ACT_GATHER_INFO |
| 2010-03-08 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12588.nasl - Type : ACT_GATHER_INFO |
| 2010-03-08 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_libnetpbm-devel-100216.nasl - Type : ACT_GATHER_INFO |
| 2010-03-08 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_libnetpbm-devel-100216.nasl - Type : ACT_GATHER_INFO |
| 2010-03-08 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_libnetpbm-devel-100216.nasl - Type : ACT_GATHER_INFO |
| 2010-03-08 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libnetpbm-devel-100216.nasl - Type : ACT_GATHER_INFO |
| 2010-03-08 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libnetpbm-6851.nasl - Type : ACT_GATHER_INFO |
| 2010-02-18 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-039.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:29:21 |
|
