Vulnerability Name:

CVE-2004-0782 (CCN-17385)

Assigned:2004-09-15
Published:2004-09-15
Updated:2018-10-19
Summary:Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow.
Note: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2004-0782

Source: CONECTIVA
Type: UNKNOWN
CLA-2004:875

Source: CCN
Type: Conectiva Linux Security Announcement CLSA-2004:875
Fixes for image loading vulnerabilities

Source: BUGTRAQ
Type: UNKNOWN
20040915 CESA-2004-005: gtk+ XPM decoder

Source: CCN
Type: RHSA-2004-447
gdk-pixbuf security update

Source: CCN
Type: RHSA-2004-466
gtk2 security update

Source: CCN
Type: Scary Beasts Security Advisory CESA-2004-005
gtk+-2.4.4 XPM image decoder parsing flaws

Source: MISC
Type: UNKNOWN
http://scary.beasts.org/security/CESA-2004-005.txt

Source: SECUNIA
Type: UNKNOWN
17657

Source: SUNALERT
Type: UNKNOWN
101776

Source: CCN
Type: CIAC Information Bulletin 0-216
"gtk2" Package Vulnerability

Source: CCN
Type: CIAC Information Bulletin 0-217
"gdk-pixbuf" Package vulnerability

Source: DEBIAN
Type: UNKNOWN
DSA-546

Source: DEBIAN
Type: DSA-546
gdk-pixbuf -- several vulnerabilities

Source: DEBIAN
Type: DSA-549
gtk+ -- several vulnerabilities

Source: CCN
Type: GLSA-200409-28
GTK+ 2, gdk-pixbuf: Multiple image decoding vulnerabilities

Source: CCN
Type: GTK+ Web site
GTK+ - The GIMP Toolkit

Source: CCN
Type: US-CERT VU#729894
GdkPixbuf XPM parser contains a heap overflow vulnerability

Source: CERT-VN
Type: US Government Resource
VU#729894

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2004:095

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2005:214

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2004:447

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2004:466

Source: FEDORA
Type: UNKNOWN
FLSA-2005:155510

Source: BID
Type: UNKNOWN
11195

Source: CCN
Type: BID-11195
GDK-Pixbuf Multiple Vulnerabilities

Source: FEDORA
Type: UNKNOWN
FLSA:2005

Source: XF
Type: UNKNOWN
gtk-xpm-xpmextractcolor-bo(17385)

Source: XF
Type: UNKNOWN
gtk-xpm-pixbufcreatefromxpm-bo(17386)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:11539

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1617

Source: SUSE
Type: SUSE-SA:2004:032
apache2: remote denial-of-service

Source: SUSE
Type: SUSE-SA:2004:033
gtk2 gdk-pixbuf: remote code execution

Source: SUSE
Type: SUSE-SR:2004:003
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gnome:gdkpixbuf:0.17:*:*:*:*:*:*:*
  • OR cpe:/a:gnome:gdkpixbuf:0.18:*:*:*:*:*:*:*
  • OR cpe:/a:gnome:gdkpixbuf:0.20:*:*:*:*:*:*:*
  • OR cpe:/a:gnome:gdkpixbuf:0.22:*:*:*:*:*:*:*
  • OR cpe:/a:gtk:gtk+:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:gtk:gtk+:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:gtk:gtk+:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:gtk:gtk+:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:gtk:gtk+:2.2.4:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2004-0782 (CCN-17386)

    Assigned:2004-09-15
    Published:2004-09-15
    Updated:2004-09-15
    Summary:Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow.
    Note: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).
    CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): Low
    Integrity (I): Low
    Availibility (A): Low
    CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Low
    Authentication (Au): None
    Impact Metrics:Confidentiality (C): Partial
    Integrity (I): Partial
    Availibility (A): Partial
    7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Low
    Athentication (Au): None
    Impact Metrics:Confidentiality (C): Partial
    Integrity (I): Partial
    Availibility (A): Partial
    Vulnerability Consequences:Gain Access
    References:Source: MITRE
    Type: CNA
    CVE-2004-0782

    Source: CCN
    Type: Conectiva Linux Security Announcement CLSA-2004:875
    Fixes for image loading vulnerabilities

    Source: CCN
    Type: RHSA-2004-447
    gdk-pixbuf security update

    Source: CCN
    Type: RHSA-2004-466
    gtk2 security update

    Source: CCN
    Type: CIAC Information Bulletin 0-216
    "gtk2" Package Vulnerability

    Source: CCN
    Type: CIAC Information Bulletin 0-217
    "gdk-pixbuf" Package vulnerability

    Source: DEBIAN
    Type: DSA-546
    gdk-pixbuf -- several vulnerabilities

    Source: DEBIAN
    Type: DSA-549
    gtk+ -- several vulnerabilities

    Source: CCN
    Type: GLSA-200409-28
    GTK+ 2, gdk-pixbuf: Multiple image decoding vulnerabilities

    Source: CCN
    Type: GTK+ Web site
    GTK+ - The GIMP Toolkit

    Source: CCN
    Type: US-CERT VU#729894
    GdkPixbuf XPM parser contains a heap overflow vulnerability

    Source: CCN
    Type: BID-11195
    GDK-Pixbuf Multiple Vulnerabilities

    Source: XF
    Type: UNKNOWN
    gtk-xpm-pixbufcreatefromxpm-bo(17386)

    Source: SUSE
    Type: SUSE-SA:2004:032
    apache2: remote denial-of-service

    Source: SUSE
    Type: SUSE-SA:2004:033
    gtk2 gdk-pixbuf: remote code execution

    Source: SUSE
    Type: SUSE-SR:2004:003
    SUSE Security Summary Report

    Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:gtk:gtk+:2.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:gnome:gdkpixbuf:*:*:*:*:*:*:*:*
  • AND
  • cpe:/o:suse:suse_linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:8:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:aw:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:10:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:1.0:*:desktop:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1:*:itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*
  • OR cpe:/o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:9.2:*:amd64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.0:*:amd64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:x86_64:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20040782
    V
    CVE-2004-0782
    2017-09-27
    oval:org.mitre.oval:def:11539
    V
    Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).
    2013-04-29
    oval:org.mitre.oval:def:1617
    V
    XPM Image Decoder Buffer Overflow
    2011-05-09
    oval:org.debian:def:549
    V
    several vulnerabilities
    2004-09-17
    oval:org.debian:def:546
    V
    several vulnerabilities
    2004-09-16
    oval:com.redhat.rhsa:def:20040447
    P
    RHSA-2004:447: gdk-pixbuf security update (Important)
    2004-09-15
    oval:com.redhat.rhsa:def:20040466
    P
    RHSA-2004:466: gtk2 security update (Important)
    2004-09-15
    BACK
    gnome gdkpixbuf 0.17
    gnome gdkpixbuf 0.18
    gnome gdkpixbuf 0.20
    gnome gdkpixbuf 0.22
    gtk gtk+ 2.0.2
    gtk gtk+ 2.0.6
    gtk gtk+ 2.2.1
    gtk gtk+ 2.2.3
    gtk gtk+ 2.2.4
    gtk gtk+ 2.4.4
    gnome gdkpixbuf *
    suse suse linux *
    debian debian linux 3.0
    gentoo linux *
    suse suse linux 8.1
    suse linux enterprise server 8
    mandrakesoft mandrake linux corporate server 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    suse suse linux 8.2
    redhat enterprise linux 2.1
    conectiva linux 9.0
    suse suse linux 9.0
    mandrakesoft mandrake linux 9.2
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    mandrakesoft mandrake linux 10.0
    suse suse linux 9.1
    redhat enterprise linux 3
    conectiva linux 10
    suse suse linux 1.0
    mandrakesoft mandrake linux corporate server 3.0
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 2006
    suse linux enterprise server 9
    mandrakesoft mandrake linux 2006
    mandrakesoft mandrake linux corporate server 3.0
    mandrakesoft mandrake linux 9.2
    mandrakesoft mandrake linux 10.0
    mandrakesoft mandrake linux corporate server 2.1