Overview
A heap overflow vulnerability exists in the XPM handling of GdkPixbuf. This vulnerability can lead to a denial-of-service condition or execution of arbitrary code.
Description
GdkPixbuf is a library used by GTK+ 2 for loading and rendering images. GTK+ is a multi-platform toolkit for creating graphical user interfaces. It is used by the Gnome desktop and other applications. GdkPixbuf contains a heap overflow vulnerability in the pixbuf_create_from_xpm() function of the XPM loading routine. |
Impact
By convincing the user to open a specially crafted XPM file, an attacker could cause a denial of service by crashing the application that uses GdkPixbuf. It may also be possible to execute arbitrary code with the permissions of that application. |
Solution
Apply a patch from your vendor For vendor-specific information regarding vulnerable status and patch availability, please see the vendor section of this document. |
Vendor Information
Debian Affected
Notified: September 17, 2004 Updated: September 20, 2004
Status
Affected
Vendor Statement
The stable Debian distribution (3.0 alias woody) is vulnerable to
several of these problems. The matrix below explains which version
fixes which problem.
| Gtk+2.0 gdk-pixbuf
------------------------+------------------------------------
VU#825374 CAN-2004-0753 | not vuln 0.17.0-2woody2
VU#729894 CAN-2004-0782 | 2.0.2-5woody2 0.17.0-2woody2
VU#369358 CAN-2004-0783 | 2.0.2-5woody2 not vuln
VU#577654 CAN-2004-0788 | 2.0.2-5woody2 0.17.0-2woody2
For the unstable distribution (sid) these problems have been fixed in
version 0.22.0-7 of gdk-pixbuf, and will be fixed soon in Gtk+2.0.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Affected
Notified: September 17, 2004 Updated: September 20, 2004
Status
Affected
Vendor Statement
updated gtk2, gdk-pixbuf packages were already released.
These packages do not contain fixes for the remote denial-of-service
bug referenced by VU#825374 and CAN-2004-0753. This bug will be
fixed as soon as possible.
Our customers can update their systems by using the
YaST Online Update (YOU) tool or installing the RPM
file directly from http://www.suse.de/en/private/download/updates/
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer Inc. Not Affected
Notified: September 17, 2004 Updated: January 31, 2005
Status
Not Affected
Vendor Statement
Mac OS X and Mac OS X Server do not contain the software described in this vulnerability note.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hitachi Not Affected
Notified: September 17, 2004 Updated: September 28, 2004
Status
Not Affected
Vendor Statement
HI-UX/WE2 is NOT Vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
BSDI Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Conectiva Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
EMC Corporation Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Engarde Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM eServer Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM-zSeries Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Immunix Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Ingrian Networks Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MontaVista Software Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NETBSD Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nokia Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Novell Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Redhat Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SCO Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
TurboLinux Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems Inc. Unknown
Notified: September 17, 2004 Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Chris Evans for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2004-0782 |
| Severity Metric: | 8.86 |
| Date Public: | 2004-09-15 |
| Date First Published: | 2004-10-01 |
| Date Last Updated: | 2004-11-01 20:26 UTC |
| Document Revision: | 14 |