[Pkg-tcltk-devel] Bug#445303: CVE-2007-5137 arbitrary code execution via multi-frame interlaced GIF

Nico Golde nion at debian.org
Thu Oct 4 18:40:53 UTC 2007


Package: tk8.3
Version: 8.3.5-4
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for tk8.3.

CVE-2007-5137[0]:
| Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl
| (Tcl/Tk) before 8.4.16 allows remote attackers to execute arbitrary
| code via multi-frame interlaced GIF files in which later frames are
| smaller than the first.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

Attached is a patch to fix this vulnerability.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5137

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tkImgGIF.c.patch
Type: text/x-diff
Size: 345 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-tcltk-devel/attachments/20071004/ebc2fb3f/attachment.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-tcltk-devel/attachments/20071004/ebc2fb3f/attachment.pgp 


More information about the Pkg-tcltk-devel mailing list