Date: Fri, 3 Jul 2009 21:09:32 +0100
From: Andrea Barisani <lcars@ocert.org.>
To: [email protected], [email protected],
Subject: [oCERT-2009-008] Dillo integer overflow
Message-ID: <20090703200932.GF6089@inversepath.com.>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-GPG-Key: 0x864C9B9E
X-GPG-Fingerprint: 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
User-Agent: Mutt/1.5.17+20080114 (2008-01-14)
X-Virus-Scanned: antivirus-gw at tyumen.ru
#2009-008 Dillo integer overflow
Description:
Dillo, an open source graphical web browser, suffers from an integer overflow
which may lead to a potentially exploitable heap overflow and result in
arbitrary code execution.
The vulnerability is triggered by HTML pages with embedded PNG images, the
Png_datainfo_callback function does not properly validate the width and
height of the image. Specific PNG images with large width and height can be
crafted to trigger the vulnerability.
Affected version:
Dillo <= 2.1
Fixed version:
Dillo >= 2.1.1
Credit: vulnerability report and PoC code received from Tielei Wang
<wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.
CVE: CVE-2009-2294
Timeline:
2009-05-21: vulnerability reported received
2009-06-18: contacted dillo maintainer
2009-06-18: maintainer requests PoC
2009-06-19: PoC is supplied
2009-06-19: maintainer provides patch
2009-06-24: revised patch is provided after reporter feedback
2009-06-25: patch is confirmed, maintainer requests one week of time to
investigate further areas of the browser
2009-07-01: dillo developer proposes security release coordination
2009-07-03: advisory release
Permalink:
http://www.ocert.org/advisories/ocert-2009-008.html
--
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team
<lcars@ocert.org.> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"