BMP file
.text:0002F298 MOV R1, #3
.text:0002F29C MOV R2, R9
.text:0002F2A0 MOV R3, R11
.text:0002F2A4 STR R12, [SP,#0x48+var_3C]
.text:0002F2A8 BL _ImageDecoder19chooseFromOneChoice;
ImageDecoder::chooseFromOneChoice(SkBitmap::Config,int
,int)
Bitmap::setConfig():
.text:0002F2B8 MOV R0, R7 ; R7 = SkBitmap
.text:0002F2BC MOV R1, #3
* Verbose description
BMP file format allows Run Length Encoding in case of 4 and 8 bit
bitmaps. The RLE used in BMP format has additional features like
skipping the decompression write pointer to end of the line (bytes 00
00), skiping to the end of bitmap (00 01), and moving the write
pointer to another line and column (00 02 XX YY).
Opera has an ultra slow implementation of the 00 02 XX YY feature.
Secunia Research has discovered a vulnerability in Microsoft Office,
which can be exploited by malicious people to compromise a user's
system.
The vulnerability is caused due to an integer overflow when processing
the number of colours used in a bitmap image. This can be exploited
to cause a heap-based buffer overflow via a specially crafted bitmap
image.
Successful exploitation may allow execution of arbitrary code.
system.
The vulnerability is caused by an integer overflow error within the
"ReadImage()" function in plug-ins/file-bmp/bmp-read.c. This can be
exploited to cause a heap-based buffer overflow by e.g. tricking a
user into opening a specially crafted BMP file.
======================================================================
5) Solution
Fixed in the GIT repository.
> Moreover, I would suggest that exec()ing a suid/sgid binary should
> reset *everything* which is not explicitly specified as being
> preserved.
>
Specified with what? Do open files fall into this category? Does blocked signal
bitmap fall into it? What exactly are you going to reset?
--
Sincerely Your, Dan.
versions of Microsoft Corp.'s Windows operating system could allow an
attacker to execute arbitrary code with the privileges of the current
user.
The vulnerability occurs when parsing a header structure that describes
a bitmap contained in the file. Several values from this header are
used in an arithmetic operation that calculates the number of bytes to
allocate for a heap buffer. This calculation can overflow, which
results in an undersized heap buffer being allocated. This buffer is
then overflowed with data from the file.
guard against directory traversal. Under certain circumstances, an
attacker may be able to load files or steal session data. Ubuntu is not
vulnerable in the default installation. (CVE-2008-0418)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Updated packages for Ubuntu 6.06 LTS:
GIF files.
* Verbose
The BMP format has a field in the BITMAPINFOHEADER named biClrUsed,
the field says how many colors does the palette contain. If this field
is 0, then 256 color palette is used. When this field is not 0, the
palette has the given number of colors.
Both browsers either allocate to just the "right" amount of memory
guard against directory traversal. Under certain circumstances, an
attacker may be able to load files or steal session data. Ubuntu is not
vulnerable in the default installation. (CVE-2008-0418)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Updated packages for Ubuntu 6.06 LTS:
Multiple integer overflows in libgdiplus 2.6.7, as used in Mono,
allow attackers to execute arbitrary code via (1) a crafted TIFF
file, related to the gdip_load_tiff_image function in tiffcodec.c;
(2) a crafted JPEG file, related to the gdip_load_jpeg_image_internal
function in jpegcodec.c; or (3) a crafted BMP file, related to the
gdip_read_bmp_image function in bmpcodec.c, leading to heap-based
buffer overflows (CVE-2010-1526).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
browser. A malicious website could exploit this to steal the user's
history information, crash the browser and/or possibly execute
arbitrary code with the user's privileges. (CVE-2008-0419)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Michal Zalewski discovered flaws with timer-enabled security dialogs.
A malicious website could force the user to confirm a security dialog
without explicit consent. (CVE-2008-0591)
necessary changes.
Details follow:
Stefan Cornelius discovered that GIMP did not correctly handle certain
malformed BMP files. If a user were tricked into opening a specially
crafted BMP file, an attacker could execute arbitrary code with the user's
privileges. (CVE-2009-1570)
Stefan Cornelius discovered that GIMP did not correctly handle certain
malformed PSD files. If a user were tricked into opening a specially
Remote exploitation of a heap buffer overflow vulnerability in the
"BMPIMP32.FLT" filter module, as distributed with Microsoft Office,
allows attackers to execute arbitrary code.
The vulnerability specifically exists in the handling of Windows Bitmap
(BMP) image files with malformed headers. By specifying a very large
number of colors in the header, it is possible to cause controllable
heap corruption, which can be leveraged to execute arbitrary code.
III. ANALYSIS
A vulnerability was discovered and corrected in gimp:
Integer overflow in the ReadImage function in
plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote attackers
to execute arbitrary code via a BMP file with crafted width and height
values that trigger a heap-based buffer overflow (CVE-2009-1570).
This update provides a solution to this vulnerability.
Update:
A vulnerability was discovered and corrected in gimp:
Integer overflow in the ReadImage function in
plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote attackers
to execute arbitrary code via a BMP file with crafted width and height
values that trigger a heap-based buffer overflow (CVE-2009-1570).
This update provides a solution to this vulnerability.
_______________________________________________________________________
we found all current versions to be lacking, as they use the getimagesize
function to set headers. The files (1) and (2) were able to bypass that defense.
Both WBB lite and WBB did not guard sufficiently against file (2) -
the obfuscated
JS in a valid bitmap - and delivered it with the incorrect header
"image/bmp". The
software filtered only the presence of "<script>" tags, making it easy to evade
the blacklist.
vBulletin uses a blacklist to guard against mime sniffing. We found no HTML tag
The version used in our tests in XnView 1.97.4 running on Windows 2000
SP4. By enticing the user of XnView to open a specially crafted file, a
remote attacker may exploit this vulnerability to gain arbitrary code
execution.
The MBM file format (shortened from MultiBitMap) is a container for a
set of bitmap images. MBM files are used by most Symbian applications to
store their graphical content. MBM files can be created with the BMCONV
tool which is supplied with any Symbian (and EPOC) SDK.
VUPEN Vulnerability Research Team discovered a critical vulnerability in
Adobe Acrobat and Reader.
This vulnerability is caused by a buffer overflow error when processing
malformed BitMap (BMP) data, which could be exploited by attackers to
execute arbitrary code by tricking a user into opening a specially crafted
PDF document.
III. AFFECTED PRODUCTS
unchanged. For any file descriptor that is closed for this reason,
file locks are removed as a result of the close as described in
close(). Locks that are not removed by closing of file descriptors
remain unchanged.
> Does blocked signal bitmap fall into it?
Yes.
From the above link:
|
