Bug 24399

Summary:	CVE-2010-1526: Mono libgdiplus Image Processing Integer Overflow Vulnerabilities
Product:	Sisyphus	Reporter:	Vladimir Lettiev <crux>
Component:	libgdiplus	Assignee:	protvin <protvin>
Status:	CLOSED FIXED	QA Contact:	qa-sisyphus
Severity:	blocker
Priority:	P3	CC:	protvin
Version:	unstable	Keywords:	security
Hardware:	all
OS:	Linux
URL:	http://secunia.com/advisories/40792

Description Vladimir Lettiev 2010-10-23 21:02:06 MSD

1) An integer overflow error within the "gdip_load_tiff_image()" function in src/tiffcodec.c can be exploited to cause a heap-based buffer overflow by e.g. processing specially crafted TIFF images in an application using the library.

2) An integer overflow error within the "gdip_load_jpeg_image_internal()" function in src/jpegcodec.c can be exploited to cause a heap-based buffer overflow by e.g. processing specially crafted JPEG images in an application using the library.

3) An integer overflow error within the "gdip_read_bmp_image()" function in src/bmpcodec.c can be exploited to cause a heap-based buffer overflow by e.g. processing specially crafted BMP images in an application using the library.

The vulnerabilities are confirmed in version 2.6.7. Other versions may also be affected.

Fixed in git: http://github.com/mono/libgdiplus/commit/6779fbf994d5270720ccb1687ba8b004e20a1821

Comment 1 Repository Robot 2011-03-14 14:17:35 MSK

libgdiplus-2.6.7-alt2 -> sisyphus:

* Mon Mar 14 2011 Alexey Shabalin <shaba@altlinux> 2.6.7-alt2
- snapshot of 2.6 branch (20101015)
- fixed CVE-2010-1526 (ALT #24399)