Executive Summary

Summary
TitleNew netpbm-free packages fix denial of service
Informations
NameDSA-2026First vendor Publication2010-04-02
VendorDebianLast vendor Modification2010-04-02
Severity (Vendor) N/ARevision1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Marc Schoenefeld discovered a stack-based buffer overflow in the XPM reader implementation in netpbm-free, a suite of image manipulation utilities. An attacker could cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value.

For the stable distribution (lenny), this problem has been fixed in version 2:10.0-12+lenny1.

For the testing distribution (squeeze), this problem has been fixed in version 2:10.0-12.1+squeeze1.

For the unstable distribution (sid), this problem will be fixed soon.

Due to a problem with the archive system it is not possible to release all architectures. The missing architectures will be installed into the archive once they become available.

We recommend that you upgrade your netpbm-free package.

Original Source

Url : http://www.debian.org/security/2010/dsa-2026

CWE : Common Weakness Enumeration

idName
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:6850
 
Oval ID: oval:org.mitre.oval:def:6850
Title: DSA-2026 netpbm-free -- stack-based buffer overflow
Description: Marc Schoenefeld discovered a stack-based buffer overflow in the XPM reader implementation in netpbm-free, a suite of image manipulation utilities. An attacker could cause a denial of service or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value.
Family: unix Class: patch
Reference(s): DSA-2026
CVE-2009-4274
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): netpbm-free
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18400
 
Oval ID: oval:org.mitre.oval:def:18400
Title: DSA-2026-1 netpbm-free - buffer overflow
Description: Marc Schoenefeld discovered a stack-based buffer overflow in the XPM reader implementation in netpbm-free, a suite of image manipulation utilities. An attacker could cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value.
Family: unix Class: patch
Reference(s): DSA-2026-1
CVE-2009-4274
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): netpbm-free
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13348
 
Oval ID: oval:org.mitre.oval:def:13348
Title: USN-934-1 -- netpbm-free vulnerability
Description: Marc Schoenefeld discovered a buffer overflow in Netpbm when loading certain images. If a user or automated system were tricked into opening a specially crafted XPM image, a remote attacker could crash Netpbm. The default compiler options for affected releases should reduce the vulnerability to a denial of service.
Family: unix Class: patch
Reference(s): USN-934-1
CVE-2009-4274
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 9.04
Ubuntu 9.10
Product(s): netpbm-free
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application101

OpenVAS Exploits

DateDescription
2012-07-30Name : CentOS Update for netpbm CESA-2011:1811 centos4 x86_64
File : nvt/gb_CESA-2011_1811_netpbm_centos4_x86_64.nasl
2012-07-30Name : CentOS Update for netpbm CESA-2011:1811 centos5 x86_64
File : nvt/gb_CESA-2011_1811_netpbm_centos5_x86_64.nasl
2011-12-16Name : RedHat Update for netpbm RHSA-2011:1811-01
File : nvt/gb_RHSA-2011_1811-01_netpbm.nasl
2011-12-16Name : CentOS Update for netpbm CESA-2011:1811 centos4 i386
File : nvt/gb_CESA-2011_1811_netpbm_centos4_i386.nasl
2011-12-16Name : CentOS Update for netpbm CESA-2011:1811 centos5 i386
File : nvt/gb_CESA-2011_1811_netpbm_centos5_i386.nasl
2010-04-30Name : Ubuntu Update for netpbm-free vulnerability USN-934-1
File : nvt/gb_ubuntu_USN_934_1.nasl
2010-02-19Name : Mandriva Update for netpbm MDVSA-2010:039 (netpbm)
File : nvt/gb_mandriva_MDVSA_2010_039.nasl
2010-02-17Name : NetPBM 'xpmtoppm' Converter Buffer Overflow Vulnerability
File : nvt/gb_netpbm_xpmtoppm_bof_vuln.nasl
2010-01-22Name : Mandriva Update for dbus-glib MDVA-2010:039 (dbus-glib)
File : nvt/gb_mandriva_MDVA_2010_039.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
62270NetPBM xpmtoppm XPM File Handling Overflow

Nessus® Vulnerability Scanner

DateDescription
2013-11-13Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201311-08.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-1811.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20111212_netpbm_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2011-12-13Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-1811.nasl - Type : ACT_GATHER_INFO
2011-12-13Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-1811.nasl - Type : ACT_GATHER_INFO
2010-10-11Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_libnetpbm-6852.nasl - Type : ACT_GATHER_INFO
2010-04-30Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-934-1.nasl - Type : ACT_GATHER_INFO
2010-04-03Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2026.nasl - Type : ACT_GATHER_INFO
2010-03-08Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libnetpbm-devel-100216.nasl - Type : ACT_GATHER_INFO
2010-03-08Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_libnetpbm-6851.nasl - Type : ACT_GATHER_INFO
2010-03-08Name : The remote openSUSE host is missing a security update.
File : suse_11_2_libnetpbm-devel-100216.nasl - Type : ACT_GATHER_INFO
2010-03-08Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12588.nasl - Type : ACT_GATHER_INFO
2010-03-08Name : The remote openSUSE host is missing a security update.
File : suse_11_1_libnetpbm-devel-100216.nasl - Type : ACT_GATHER_INFO
2010-03-08Name : The remote openSUSE host is missing a security update.
File : suse_11_0_libnetpbm-devel-100216.nasl - Type : ACT_GATHER_INFO
2010-02-18Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-039.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:29:21
  • Multiple Updates