CVE-2005-2978Missing Initialization of a Variable in Netpbm-free

CWE-456Missing Initialization of a Variable8 documents8 sources
Severity
7.5HIGHNVD
EPSS
4.6%
top 10.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Netpbm-freeNetpbm
Timeline
PublishedOct 18
Latest updateMay 1

Description

pnmtopng in netpbm before 10.25, when using the -trans option, uses uninitialized size and index variables when converting Portable Anymap (PNM) images to Portable Network Graphics (PNG), which might allow attackers to execute arbitrary code by modifying the stack.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

debiandebian/netpbm-free< netpbm-free 2:10.0-10 (bookworm)
NVDnetpbm/netpbm25 versions+24

🔴Vulnerability Details

2
GHSA
GHSA-xf4f-2rfr-r287: pnmtopng in netpbm before 102022-05-01
OSV
CVE-2005-2978: pnmtopng in netpbm before 102005-10-18

📋Vendor Advisories

3
Red Hat
security flaw2005-10-18
Ubuntu
netpbm vulnerability2005-10-18
Debian
CVE-2005-2978: netpbm-free - pnmtopng in netpbm before 10.25, when using the -trans option, uses uninitialize...2005

📐Framework References

1
CWE
Missing Initialization of a Variable

💬Community

1
Bugzilla
CVE-2005-2978 security flaw2018-08-16