FreeBSD : xloadimage -- buffer overflows in NIFF image title handling (2f0cb4bb-416d-11da-99fe-000854d03344)

NASLDB: FreeBSD : xloadimage -- buffer overflows in NIFF image title handling (2f0cb4bb-416d-11da-99fe-000854d03344)

General

ID: 21409
Name: FreeBSD : xloadimage — buffer overflows in NIFF image title handling (2f0cb4bb-416d-11da-99fe-000854d03344)

Summary: Checks for updated packages in pkg_info output

Credits: Tenable Network Security, Inc.

Classification

Risk: –

CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSS Temporal Vector: CVSS2#E:U/RL:OF/RC:ND

Port: 0
Family: FreeBSD Local Security Checks
Type: Local

Description

Ariel Berkman reports :

Unlike most of the supported image formats in xloadimage, the NIFF
image format can store a title name of arbitrary length as part of the
image file.

When xloadimage is processing a loaded image, it is creating a new
Image object and then writing the processed image to it. At that
point, it will also copy the title from the old image to the newly
created image.

The ‘zoom’, ‘reduce’, and ‘rotate’ functions are using a fixed length
buffer to construct the new title name when an image processing is
done. Since the title name in a NIFF format is of varying length, and
there are insufficient buffer size validations, the buffer can be
overflowed.

Exploiting

Exploit Available: False
Exploitability Ease: No known exploits are available

Sources

CVE: CVE-2005-3178
OSVDB: –
Bugtraq: –
scipID: –

Timeline

Vulnerability Disclosure: 2005/10/05
Patch Release: 2005/10/20
Plugin Release: 2006/05/13

Plugin

Version: 1.9
Filename: freebsd_pkg_2f0cb4bb416d11da99fe000854d03344.nasl
Filesize: 5067 bytes
MD5 Hash: 4138ca9e97f63fdef7aaf8804ebcdb49

Identification: Host/local_checks_enabled
Require Keys: Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info
Dependencies: "ssh_get_info.nasl"