Multiple image viewers multiple security vulnerabilities

[EN] securityvulns.ru
no-pyccku

Multiple image viewers multiple security vulnerabilities
updated since 05.04.2007
Published: 02.11.2007
Source: BUGTRAQ
SecurityVulns ID: 7535
Type: client
Level: 6/10
Description: Multiple buffer overflows on BPM, TIFF, XPM, CLP, PSP, RAS, IFF, PNG images parsing.

Affected: ADOBE : Photoshop CS2
GNU : GIMP 2.2
IRFANVIEW : IrfanView 3.99
ACD : ACDSee 9.0
FASTSTONE : FastStone Image Viewer 2.9
IRFANVIEW : IrfanView 4.0
ADOBE : Photoshop CS3
ADOBE : Photoshop Elements 5.0
COREL : Paint Shop Pro 11.20
ABCVIEW : ABC-View Manager 1.42
XNVIEW : XnView 1.90
PHOTOFILTRE : Photofiltre Studio 8.1
CVE: CVE-2007-4344
CVE-2007-2366 (Buffer overflow in Corel Paint Shop Pro 11.20 allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file.)
CVE-2007-2366 (Buffer overflow in Corel Paint Shop Pro 11.20 allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file.)
CVE-2007-2365 (Buffer overflow in Adobe Photoshop CS2 and CS3, and Photoshop Elements 5.0, allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file.)
CVE-2007-2365 (Buffer overflow in Adobe Photoshop CS2 and CS3, and Photoshop Elements 5.0, allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file.)
CVE-2007-2363 (Buffer overflow in IrfanView 4.00 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted .IFF file.)
CVE-2007-2363 (Buffer overflow in IrfanView 4.00 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted .IFF file.)
CVE-2007-1948 (Buffer overflow in IrfanView 3.99 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via the (1) xoffset or (2) yoffset RLE command, or (3) large non-RLE encoded blocks in a crafted BMP image, as demonstrated by rle8of3.bmp and rle8of4.bmp.)
CVE-2007-1946 (Integer overflow in Windows Explorer in Microsoft Windows XP SP1 might allow user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large width dimension in a crafted BMP image, as demonstrated by w4intof.bmp.)
CVE-2007-1943 (Integer overflow in ACDSee Photo Manager 9.0 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via large width image sizes in a crafted BMP image, as demonstrated by w3intof.bmp and w4intof.bmp.)
CVE-2007-1942 (Integer overflow in FastStone Image Viewer 2.9 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted BMP image, as demonstrated by wh3intof.bmp and wh4intof.bmp.)

Original document SECUNIA, Secunia Research: ACDSee Products Image and Archive Plug-ins Buffer Overflows (02.11.2007)

ifsecure_(at)_gmail.com, Several Windows image viewers vulnerabilities (05.04.2007)

Files: Several Windows image viewers vulnerabilities PoC
IrfanView <= 4.00 .IFF File Buffer Overflow
Gimp v2.2.14 .RAS File SUNRAS Plugin Buffer Overflow
ACDSee v9.0 .XPM File Buffer Overflow
XnView 1.90.3 .XPM File Buffer Overflow
Photoshop CS2/CS3, Paint Shop Pro 11.20 .PNG File Buffer Overflow
FreshView 7.15 .PSP File Buffer Overflow
Adobe Photoshop CS2 / CS3 Unspecified .BMP File Buffer Overflow
Corel Paint Shop Pro Photo v11.20 Unspecified .CLP File Buffer Overflow
Exploits Photofiltre Studio v8.1.1 .TIF File Buffer Overflow
ABC-View Manager 1.42 .PSP File Buffer Overflow
Discuss: Read or add your comments to this news (0 comments)