Bug 24399

Summary: CVE-2010-1526: Mono libgdiplus Image Processing Integer Overflow Vulnerabilities
Product: Sisyphus Reporter: Vladimir Lettiev <crux>
Component: libgdiplusAssignee: Alexey Shabalin <shaba>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: blocker    
Priority: P3 CC: darktemplar, lav, nbr, sbolshakov, shaba, sin
Version: unstableKeywords: security
Hardware: all   
OS: Linux   
URL: http://secunia.com/advisories/40792

Description Vladimir Lettiev 2010-10-23 21:02:06 MSD 
1) An integer overflow error within the "gdip_load_tiff_image()" function in src/tiffcodec.c can be exploited to cause a heap-based buffer overflow by e.g. processing specially crafted TIFF images in an application using the library.

2) An integer overflow error within the "gdip_load_jpeg_image_internal()" function in src/jpegcodec.c can be exploited to cause a heap-based buffer overflow by e.g. processing specially crafted JPEG images in an application using the library.

3) An integer overflow error within the "gdip_read_bmp_image()" function in src/bmpcodec.c can be exploited to cause a heap-based buffer overflow by e.g. processing specially crafted BMP images in an application using the library.

The vulnerabilities are confirmed in version 2.6.7. Other versions may also be affected.

Fixed in git: http://github.com/mono/libgdiplus/commit/6779fbf994d5270720ccb1687ba8b004e20a1821
Comment 1 Repository Robot 2011-03-14 14:17:35 MSK 
libgdiplus-2.6.7-alt2 -> sisyphus:

* Mon Mar 14 2011 Alexey Shabalin <shaba@altlinux> 2.6.7-alt2
- snapshot of 2.6 branch (20101015)
- fixed CVE-2010-1526 (ALT #24399)