CVE-2010-4543 : Détail

CVE-2010-4543

Overflow
29.26%V4
Network
2011-01-07
18h00 +00:00
2018-07-20
15h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image. NOTE: some of these details are obtained from third party information.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-787 Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 35162

Date de publication : 2010-12-30 23h00 +00:00
Auteur : non customers
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/45647/info GIMP is prone to multiple remote stack-based buffer-overflow vulnerabilities because it fails to perform adequate checks on user-supplied input. Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. GIMP 2.6.11 is vulnerable; other versions may also be affected. 000010 IDENTIFICATION DIVISION. 000020 PROGRAM-ID. GIMP-OVERFLOWS-POC-IN-COBOL. 000030 AUTHOR. NON-CUSTOMERS CREW. 000040*SHOE SIZE DECLARATION. 43. 000050 000060 ENVIRONMENT DIVISION. 000070 INPUT-OUTPUT SECTION. 000080 FILE-CONTROL. 000090 SELECT FILE01 ASSIGN TO "GIMP01.LIGHTINGPRESETS" 000100 ORGANIZATION IS LINE SEQUENTIAL. 000110 SELECT FILE02 ASSIGN TO "GIMP02.SPHEREDESIGNER" 000120 ORGANIZATION IS LINE SEQUENTIAL. 000130 SELECT FILE03 ASSIGN TO "GIMP03.GFIG" 000140 ORGANIZATION IS LINE SEQUENTIAL. 000150* FOR THE 4TH OVERFLOW, SEE BELOW. 000160 000170 DATA DIVISION. 000180 FILE SECTION. 000190 FD FILE01. 000200 01 PRINTLINE PIC X(800). 000210 FD FILE02. 000220 01 QRINTLINE PIC X(800). 000230 FD FILE03. 000240 01 RRINTLINE PIC X(800). 000250 000260 WORKING-STORAGE SECTION. 000270 01 TEXT-OUT1 PIC X(29) VALUE 'Number of lights: 1'. 000280 01 TEXT-OUT2 PIC X(29) VALUE 'Type: Point'. 000290 01 TEXT-OUT3 PIC X(29) VALUE 'Position: A'. 000300 01 TEXT-OUT4 PIC X(29) VALUE 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. 000310 01 TEXT-OUT5 PIC X(29) VALUE ' -1 1'. 000320 01 TEXT-OUT6 PIC X(29) VALUE 'Direction: -1 -1 1'. 000330 01 TEXT-OUT7 PIC X(29) VALUE 'Color: 1 1 1'. 000340 01 TEXT-OUT8 PIC X(29) VALUE 'Intensity: 1'. 000350 01 TEXU-OUT1 PIC X(29) VALUE '0 0 A'. 000360 01 TEXU-OUT2 PIC X(29) VALUE 'A 1 1 1 0 0 0 1 1 0 1 1 1 1 1'. 000370 01 TEXU-OUT3 PIC X(29) VALUE '0 0 0 0 0 0 0'. 000380 01 TEXV-OUT1 PIC X(29) VALUE 'GFIG Version 0.2'. 000390 01 TEXV-OUT2 PIC X(29) VALUE 'Name: First\040Gfig'. 000400 01 TEXV-OUT3 PIC X(29) VALUE 'Version: 0.000000'. 000410 01 TEXV-OUT4 PIC X(29) VALUE 'ObjCount: 0'. 000420 01 TEXV-OUT5 PIC X(29) VALUE '<OPTIONS>'. 000430 01 TEXV-OUT6 PIC X(29) VALUE 'GridSpacing: 30'. 000440 01 TEXV-OUT7 PIC X(29) VALUE 'GridType: RECT_GRID'. 000450 01 TEXV-OUT8 PIC X(29) VALUE 'DrawGrid: FALSE'. 000460 01 TEXV-OUT9 PIC X(29) VALUE 'Snap2Grid: FALSE'. 000470 01 TEXV-OUTA PIC X(29) VALUE 'LockOnGrid: FALSE'. 000480 01 TEXV-OUTB PIC X(29) VALUE 'ShowControl: TRUE'. 000490 01 TEXV-OUTC PIC X(29) VALUE '</OPTIONS>'. 000500 01 TEXV-OUTD PIC X(29) VALUE '<Style Base>'. 000510 01 TEXV-OUTE PIC X(29) VALUE 'BrushName: Circle (11)'. 000520 01 TEXV-OUTF PIC X(29) VALUE 'PaintType: 1'. 000530 01 TEXV-OUTG PIC X(29) VALUE 'FillType: 0'. 000540 01 TEXV-OUTH PIC X(29) VALUE 'FillOpacity: 100'. 000550 01 TEXV-OUTI PIC X(29) VALUE 'Pattern: Pine'. 000560 01 TEXV-OUTJ PIC X(29) VALUE 'Gradient: FG to BG (RGB)'. 000570 01 TEXV-OUTK PIC X(29) VALUE 'Foreground: A'. 000580 01 TEXV-OUTL PIC X(29) VALUE 'AA 0 0 1'. 000590 01 TEXV-OUTM PIC X(29) VALUE 'Background: 1 1 1 1'. 000600 01 TEXV-OUTN PIC X(29) VALUE '</Style>'. 000610 000620 PROCEDURE DIVISION. 000630 MAIN-PARAGRAPH. 000640* 1. FILTERS > LIGHT AND SHADOW > LIGHTING EFFECTS > LIGHT > OPEN 000650 OPEN OUTPUT FILE01. 000660 WRITE PRINTLINE FROM TEXT-OUT1. 000670 WRITE PRINTLINE FROM TEXT-OUT2. 000680 WRITE PRINTLINE FROM TEXT-OUT3 AFTER ADVANCING 0 LINES. 000690 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000700 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000710 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000720 WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000730 WRITE PRINTLINE FROM TEXT-OUT5. 000740 WRITE PRINTLINE FROM TEXT-OUT6. 000750 WRITE PRINTLINE FROM TEXT-OUT7. 000760 WRITE PRINTLINE FROM TEXT-OUT8. 000770 CLOSE FILE01. 000780 000790* 2. FILTERS > RENDER > SPHERE DESIGNER > OPEN 000800 OPEN OUTPUT FILE02. 000810 WRITE QRINTLINE FROM TEXU-OUT1 AFTER ADVANCING 0 LINES. 000820 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000830 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000840 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000850 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000860 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000870 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000880 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000890 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000900 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000910 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000920 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000930 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000940 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000950 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000960 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000970 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000980 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 000990 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001000 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001010 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001020 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001030 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001040 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001050 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001060 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001070 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001080 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001090 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001100 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001110 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001120 WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001130 WRITE QRINTLINE FROM TEXU-OUT2 AFTER ADVANCING 0 LINES. 001140 WRITE QRINTLINE FROM TEXU-OUT3. 001150 CLOSE FILE02. 001160 001170* 3. FILTERS > RENDER > GFIG > FILE > OPEN 001180 OPEN OUTPUT FILE03. 001190 WRITE RRINTLINE FROM TEXV-OUT1. 001200 WRITE RRINTLINE FROM TEXV-OUT2. 001210 WRITE RRINTLINE FROM TEXV-OUT3. 001220 WRITE RRINTLINE FROM TEXV-OUT4. 001230 WRITE RRINTLINE FROM TEXV-OUT5. 001240 WRITE RRINTLINE FROM TEXV-OUT6. 001250 WRITE RRINTLINE FROM TEXV-OUT7. 001260 WRITE RRINTLINE FROM TEXV-OUT8. 001270 WRITE RRINTLINE FROM TEXV-OUT9. 001280 WRITE RRINTLINE FROM TEXV-OUTA. 001290 WRITE RRINTLINE FROM TEXV-OUTB. 001300 WRITE RRINTLINE FROM TEXV-OUTC. 001310 WRITE RRINTLINE FROM TEXV-OUTD. 001320 WRITE RRINTLINE FROM TEXV-OUTE. 001330 WRITE RRINTLINE FROM TEXV-OUTF. 001340 WRITE RRINTLINE FROM TEXV-OUTG. 001350 WRITE RRINTLINE FROM TEXV-OUTH. 001360 WRITE RRINTLINE FROM TEXV-OUTI. 001370 WRITE RRINTLINE FROM TEXV-OUTJ. 001380 WRITE RRINTLINE FROM TEXV-OUTK AFTER ADVANCING 0 LINES. 001390 WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001400 WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001410 WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES. 001420 WRITE RRINTLINE FROM TEXV-OUTL. 001430 WRITE RRINTLINE FROM TEXV-OUTM. 001440 WRITE RRINTLINE FROM TEXV-OUTN. 001450 CLOSE FILE03. 001460 001470* 4. THE FUNCTION "read_channel_data()" IN plug-ins/common/file-psp.c HAS AN 001480* OVERFLOW WHEN HANDLING PSP_COMP_RLE TYPE FILES. A MALICIOUS FILE THAT 001490* STARTS A LONG RUNCOUNT AT THE END OF AN IMAGE WILL WRITE OUTSIDE OF 001500* ALLOCATED MEMORY. WE DON'T HAVE A POC FOR THIS BUG. 001510 001520* HAPPY NEW YEAR!!! http://rock-madrid.com/ 001530 001540 STOP RUN.

Products Mentioned

Configuraton 0

Gimp>>Gimp >> Version 2.6.11

Références

http://www.debian.org/security/2012/dsa-2426
Tags : vendor-advisory, x_refsource_DEBIAN
http://security.gentoo.org/glsa/glsa-201209-23.xml
Tags : vendor-advisory, x_refsource_GENTOO
http://osvdb.org/70284
Tags : vdb-entry, x_refsource_OSVDB
http://www.vupen.com/english/advisories/2011/0016
Tags : vdb-entry, x_refsource_VUPEN
http://www.redhat.com/support/errata/RHSA-2011-0839.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.redhat.com/support/errata/RHSA-2011-0837.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.redhat.com/support/errata/RHSA-2011-0838.html
Tags : vendor-advisory, x_refsource_REDHAT
http://openwall.com/lists/oss-security/2011/01/04/7
Tags : mailing-list, x_refsource_MLIST
http://secunia.com/advisories/44750
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/42771
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/50737
Tags : third-party-advisory, x_refsource_SECUNIA
http://openwall.com/lists/oss-security/2011/01/03/2
Tags : mailing-list, x_refsource_MLIST
http://secunia.com/advisories/48236
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.mandriva.com/security/advisories?name=MDVSA-2011:103
Tags : vendor-advisory, x_refsource_MANDRIVA
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.