Bug 626821 (CVE-2010-1526)

Summary: CVE-2010-1526 libgdiplus: Integer overflows by loading 1, TIFF 2, JPEG and 3, BMP images
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chkr, lxtnow
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-13 16:42:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 626829    
Bug Blocks:    

Description Jan Lieskovsky 2010-08-24 14:04:52 UTC
Three security flaws have been reported:
  [1] http://secunia.com/secunia_research/2010-102/

against libgdiplus (more from [1]):

1) An integer overflow error within the "gdip_load_tiff_image()"   
function in src/tiffcodec.c can be exploited to cause a heap-based 
buffer overflow by e.g. processing specially crafted TIFF images in 
an application using the library.

2) An integer overflow error within the "gdip_load_jpeg_image_internal()" 
function in src/jpegcodec.c can be exploited to cause a heap-based buffer 
overflow by e.g. processing  specially crafted JPEG images in an application 
using the library.

3) An integer overflow error within the "gdip_read_bmp_image()"
function in src/bmpcodec.c can be exploited to cause a heap-based
buffer overflow by e.g. processing specially crafted BMP images in an
application using the library.

CVE identifier of CVE-2010-1526 has been assigned to these issues.

References:
  [2] http://github.com/mono/libgdiplus

Upstream changeset:
  [3] http://github.com/mono/libgdiplus/commit/6779fbf994d5270720ccb1687ba8b004e20a1821

Comment 1 Jan Lieskovsky 2010-08-24 14:20:09 UTC
These issues affect the versions of libgdiplus package, as shipped
with Fedora release of 12 and 13. 

Please fix.

Comment 2 Jan Lieskovsky 2010-08-24 14:21:20 UTC
Created libgdiplus tracking bugs for this issue

Affects: fedora-all [bug 626829]