GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sat Aug 22, 2009 9:26 am Post subject: [ GLSA 200908-10 ] Dillo: User-assisted execution of arbitra |
 |
|
Gentoo Linux Security Advisory
Title: Dillo: User-assisted execution of arbitrary code (GLSA 200908-10)
Severity: normal
Exploitable: remote
Date: August 18, 2009
Bug(s): #276432
ID: 200908-10
Synopsis
An integer overflow in the PNG handling of Dillo might result in the remote
execution of arbitrary code.
Background
Dillo is a graphical web browser known for its speed and small
footprint.
Affected Packages
Package: www-client/dillo
Vulnerable: < 2.1.1
Unaffected: >= 2.1.1
Architectures: All supported architectures
Description
Tilei Wang reported an integer overflow in the Png_datainfo_callback()
function, possibly leading to a heap-based buffer overflow.
Impact
A remote attacker could entice a user to open an HTML document
containing a specially crafted, large PNG image, possibly resulting in
the execution of arbitrary code with the privileges of the user running
the application.
Workaround
There is no known workaround at this time.
Resolution
All Dillo users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/dillo-2.1.1" |
References
CVE-2009-2294
Last edited by GLSA on Sun Nov 22, 2009 4:29 am; edited 1 time in total |
|
News & Announcements
