Gentoo Logo

SWFTools: User-assisted execution of arbitrary code

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201204-05 / SWFTools
Release Date April 17, 2012
Latest Revision April 18, 2012: 2
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
media-gfx/swftools <= 0.9.1 All supported architectures

Related bugreports: #332649

Synopsis

A heap-based buffer overflow in SWFTools could result in the execution of arbitrary code.

2.  Impact Information

Background

SWFTools is a collection of SWF manipulation and generation utilities written by Rainer Böhme and Matthias Kramm.

Description

Integer overflow errors in the "getPNG()" function in png.c and the "jpeg_load()" function in jpeg.c could cause a heap-based buffer overflow.

Impact

A remote attacker could entice a user to open a specially crafted PNG or JPEG file, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

Gentoo discontinued support for SWFTools. We recommend that users unmerge swftools:

Code Listing 3.1: Resolution

  # emerge --unmerge "media-gfx/swftools"

NOTE: Users could upgrade to ">=media-gfx/swftools-0.9.1", however these packages are not currently stable.

4.  References

Print

Page updated April 17, 2012

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.