CVE-2005-3350
published 2005-11-04CVE-2005-3350: libungif library before 4.1.0 allows attackers to corrupt memory and possibly execute arbitrary code via a crafted GIF file that leads to an out-of-bounds…
PriorityP433high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
4.42%
90.1th percentile
libungif library before 4.1.0 allows attackers to corrupt memory and possibly execute arbitrary code via a crafted GIF file that leads to an out-of-bounds write.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | giflib | < giflib 4.1.4-1 (bookworm) | giflib 4.1.4-1 (bookworm) |
| giflib_project | giflib | >= 0 < 4.1.4-1 | 4.1.4-1 |
| giflib_project | giflib | >= 0 < 4.1.4-1 | 4.1.4-1 |
| giflib_project | giflib | >= 0 < 4.1.4-1 | 4.1.4-1 |
| giflib_project | giflib | >= 0 < 4.1.4-1 | 4.1.4-1 |
| libungif | libungif | <= 4.1 | — |
| libungif | libungif | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
libungif vulnerabilities
vendor_ubuntu·2005-11-07
CVE-2005-2974 libungif vulnerabilities
Title: libungif vulnerabilities
Summary: libungif vulnerabilities
Chris Evans discovered several buffer overflows in the libungif
library. By tricking an user (or automated system) into processing a
specially crafted GIF image, this could be exploited to execute
arbitrary code with the privileges of the application using libungif.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
giflib/libunfig: memory corruption via a crafted GIF
vendor_redhat·2005-11-03·CVSS 7.5
CVE-2005-3350 [HIGH] giflib/libunfig: memory corruption via a crafted GIF
giflib/libunfig: memory corruption via a crafted GIF
libungif library before 4.1.0 allows attackers to corrupt memory and possibly execute arbitrary code via a crafted GIF file that leads to an out-of-bounds write.
Debian
CVE-2005-3350: giflib - libungif library before 4.1.0 allows attackers to corrupt memory and possibly ex...
vendor_debian·2005·CVSS 7.5
CVE-2005-3350 [HIGH] CVE-2005-3350: giflib - libungif library before 4.1.0 allows attackers to corrupt memory and possibly ex...
libungif library before 4.1.0 allows attackers to corrupt memory and possibly execute arbitrary code via a crafted GIF file that leads to an out-of-bounds write.
Scope: local
bookworm: resolved (fixed in 4.1.4-1)
bullseye: resolved (fixed in 4.1.4-1)
forky: resolved (fixed in 4.1.4-1)
sid: resolved (fixed in 4.1.4-1)
trixie: resolved (fixed in 4.1.4-1)
GHSA
GHSA-mh2j-cpx3-ww24: libungif library before 4
ghsa_unreviewed·2022-05-01
CVE-2005-3350 [HIGH] GHSA-mh2j-cpx3-ww24: libungif library before 4
libungif library before 4.1.0 allows attackers to corrupt memory and possibly execute arbitrary code via a crafted GIF file that leads to an out-of-bounds write.
OSV
CVE-2005-3350: libungif library before 4
osv·2005-11-04·CVSS 7.5
CVE-2005-3350 [HIGH] CVE-2005-3350: libungif library before 4
libungif library before 4.1.0 allows attackers to corrupt memory and possibly execute arbitrary code via a crafted GIF file that leads to an out-of-bounds write.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2005-3350 giflib/libunfig: memory corruption via a crafted GIF
bugzilla·2009-04-08·CVSS 2.6
CVE-2005-3350 [LOW] CVE-2005-3350 giflib/libunfig: memory corruption via a crafted GIF
CVE-2005-3350 giflib/libunfig: memory corruption via a crafted GIF
Common Vulnerabilities and Exposures assigned an identifier CVE-2005-3350 to the following vulnerability:
libungif library before 4.1.0 allows attackers to corrupt memory and possibly
execute arbitrary code via a crafted GIF file that leads to an out-of-bounds
write.
References:
http://scary.beasts.org/security/CESA-2005-007.txt
http://sourceforge.net/project/shownotes.php?release_id=364493
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171413
Discussion:
Created attachment 338675
Chris Evans' PoC - bad2.gif
Source: http://scary.beasts.org/security/CESA-2005-007.txt
Crash can be reproduced using e.g. gif2ps from giflib-utils
---
Created attachment 338676
Chris Evans' PoC - bad3.gif
Source: http://scary.beast
Bugzilla
CVE-2005-2974 Several libungif issues (CVE-2005-3350)
bugzilla·2005-10-21·CVSS 2.6
CVE-2005-2974 [LOW] CVE-2005-2974 Several libungif issues (CVE-2005-3350)
CVE-2005-2974 Several libungif issues (CVE-2005-3350)
+++ This bug was initially created as a clone of Bug #171413 +++
Chris Evans reported several issues with libungif to vendor-sec. They have been
fixed in libungif-4.1.4, but not noted as security issues.
"I believe that the recently released libungif-4.1.4 fixes these
crashes. Credit here must go to Daniel Eisenbud who independently
noticed libungif crashes _and_ patched it to fix it."
Discussion:
This issue should also affect FC3
---
bad1.gif triggers a NULL dereference crash
CVE-2005-2974 libungif NULL pointer deref
bad2 and bad3 trigger out of bounds memory access crashes. bad2 may
possibly allow for arbitrary code execution as it's an OOB write.
CVE-2005-3350 libungif OOB access
---
Lifting embargo
---
From User-Agent: X
Bugzilla
CVE-2005-2974 Several libungif issues (CVE-2005-3350)
bugzilla·2005-10-21·CVSS 2.6
CVE-2005-2974 [LOW] CVE-2005-2974 Several libungif issues (CVE-2005-3350)
CVE-2005-2974 Several libungif issues (CVE-2005-3350)
Chris Evans reported several issues with libungif to vendor-sec. They have been
fixed in libungif-4.1.4, but not noted as security issues.
"I believe that the recently released libungif-4.1.4 fixes these
crashes. Credit here must go to Daniel Eisenbud who independently
noticed libungif crashes _and_ patched it to fix it."
Discussion:
These issue should also affect RHEL2.1 and RHEL3
---
bad1.gif trigger a NULL dereference crash
CVE-2005-2974 libungif NULL pointer deref
bad2 and bad3 trigger out of bounds memory access crashes. bad2 may
possibly allow for arbitrary code execution as it's an OOB write.
CVE-2005-3350 libungif OOB access
---
Created attachment 120493
Patch which fixes these issues.
---
Lifting embargo
---
An adv
http://bugs.gentoo.org/show_bug.cgi?id=109997http://scary.beasts.org/security/CESA-2005-007.txthttp://secunia.com/advisories/17436http://secunia.com/advisories/17438http://secunia.com/advisories/17442http://secunia.com/advisories/17462http://secunia.com/advisories/17482http://secunia.com/advisories/17488http://secunia.com/advisories/17497http://secunia.com/advisories/17508http://secunia.com/advisories/17559http://secunia.com/advisories/34872http://secunia.com/advisories/35164http://securitytracker.com/id?1015149http://sourceforge.net/project/shownotes.php?release_id=364493http://www.debian.org/security/2005/dsa-890http://www.gentoo.org/security/en/glsa/glsa-200511-03.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2005:207http://www.osvdb.org/20471http://www.redhat.com/support/errata/RHSA-2005-828.htmlhttp://www.redhat.com/support/errata/RHSA-2009-0444.htmlhttp://www.securityfocus.com/archive/1/428059/100/0/threadedhttp://www.securityfocus.com/archive/1/428059/30/6300/threadedhttp://www.securityfocus.com/bid/15299http://www.ubuntulinux.org/usn/usn-214-1http://www.vupen.com/english/advisories/2005/2295https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171413https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9314https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00771.htmlhttp://bugs.gentoo.org/show_bug.cgi?id=109997http://scary.beasts.org/security/CESA-2005-007.txthttp://secunia.com/advisories/17436http://secunia.com/advisories/17438http://secunia.com/advisories/17442http://secunia.com/advisories/17462http://secunia.com/advisories/17482http://secunia.com/advisories/17488http://secunia.com/advisories/17497http://secunia.com/advisories/17508http://secunia.com/advisories/17559http://secunia.com/advisories/34872http://secunia.com/advisories/35164http://securitytracker.com/id?1015149http://sourceforge.net/project/shownotes.php?release_id=364493http://www.debian.org/security/2005/dsa-890http://www.gentoo.org/security/en/glsa/glsa-200511-03.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2005:207http://www.osvdb.org/20471http://www.redhat.com/support/errata/RHSA-2005-828.htmlhttp://www.redhat.com/support/errata/RHSA-2009-0444.htmlhttp://www.securityfocus.com/archive/1/428059/100/0/threadedhttp://www.securityfocus.com/archive/1/428059/30/6300/threadedhttp://www.securityfocus.com/bid/15299http://www.ubuntulinux.org/usn/usn-214-1http://www.vupen.com/english/advisories/2005/2295https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171413https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9314https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00771.html
2005-11-04
Published