Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

CESA-2004-004: qt

from [chris] Network Security [Permanent Link]
Subject: CESA-2004-004: qt
Date: Thu, 19 Aug 2004 00:35:39 +0100 (BST) 

CESA-2004-004 - rev 3

http://scary.beasts.org/security/CESA-2004-004.txt

qt 3.3.2 BMP parser heap overflow error
=======================================

Programs:          qt, and any programs which use qt to decode BMP files. For
                   example, KDE (including konqueror).
Severity:          Possible compromise of account used to browse malicious
BMP
                   files.
CAN identifier(s): CAN-2004-0691

This advisory notes a code flaw discovered by inspection of the qt code.
The specific version of qt discussed is v3.3.2.
qt-3.3.3 has already been released and it contains a fix for this issue.

Flaw 1. Heap-based overflow in read_dib (qimage.cpp).

The handling of 8-bit RLE encoded BMP files is faulty. Interestingly, the 4-bit
RLE encoding handling seems to have the required safety checks.
a) User supplied length used to read into heap buffer without adequate bounds
checking:
     default:    // absolute mode
          if ( d->readBlock( (char *)p, b ) != b )
b) User supplied length used to memset() a piece of heap buffer without
adequate bounds checking:
    } else {      // encoded mode
        memset( p, d->getch(), b ); // repeat pixel
c) User supplied delta pixel co-ordinates used without range checking:
      case 2:     // delta (jump)
          x += d->getch();
          y += d->getch();
          p = line[h-y-1] + x;

Demo BMP: http://scary.beasts.org/misc/bad.bmp (flaw 1a).


CESA-2004-004 - rev 3
Chris Evans
chris@scary.beasts.org

[Advertisement: I am interested in moving into a security related field
 full-time. E-mail me to discuss.]
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • CESA-2004-004: qt, chris <=
Previous by Date:  Re: SQL Injection in CACTI, Andy Markert
Next by Date:  MDKSA-2004:085 - Updated qt3 packages fix multiple vulnerabilities, Mandrake Linux Security Team
Previous by Thread:  MDKSA-2004:084 - Updated spamassassin packages fixes possible malformed message vulnerability, Mandrake Linux Security Team
Next by Thread:  MDKSA-2004:085 - Updated qt3 packages fix multiple vulnerabilities, Mandrake Linux Security Team
Indexes:  [Date] [Thread] [Top] [All Lists]