Multiple integer overflows in CamlImages 2.2 and earlier might allow context-dependent attackers to execute arbitrary code via a crafted PNG image with large width and height values that trigger a heap-based buffer overflow in the (1) read_png_file or (2) read_png_file_as_rgb24 function.
Vector
NETWORK
Complexity
LOW
Authentication
NONE
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
PARTIAL
| Advisory | Patch | Confirmed | Link |
|---|---|---|---|
| ADV-2009-1874 | |||
| 35556 | |||
| 20090702 [oCERT-2009-009] CamlImages integer overflows | |||
| http://www.ocert.org/advisories/ocert-2009-009.html | |||
| DSA-1832 |