CVE-2017-6010
published 2017-02-16CVE-2017-6010: An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "extract_icons" function in the "extract.c" source file. This issue can be…
medium5.5CVSS 3.0
AVLACLPRNUIRSUCNINAH
An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "extract_icons" function in the "extract.c" source file. This issue can be triggered by processing a corrupted ico file and will result in an icotool crash.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | icoutils | < icoutils 0.31.2-1 (bookworm) | icoutils 0.31.2-1 (bookworm) |
| icoutils_project | icoutils | — | — |
| icoutils_project | icoutils | >= 0 < 0.31.2-1 | 0.31.2-1 |
| icoutils_project | icoutils | >= 0 < 0.31.2-1 | 0.31.2-1 |
| icoutils_project | icoutils | >= 0 < 0.31.2-1 | 0.31.2-1 |
| icoutils_project | icoutils | >= 0 < 0.31.2-1 | 0.31.2-1 |
| icoutils_project | icoutils | >= 0 < 0.31.0-3ubuntu0.1 | 0.31.0-3ubuntu0.1 |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
| redhat | enterprise_linux_workstation | — | — |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv8.8HIGH
Ubuntu
icoutils vulnerabilities
vendor_ubuntu·2021-01-18·CVSS 8.8
CVE-2017-5332 [HIGH] icoutils vulnerabilities
Title: icoutils vulnerabilities
Summary: Several security issues were fixed in icoutils.
Choongwoo Han discovered that icoutils incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service
or execute arbitrary code. (CVE-2017-5208)
It was discovered that icoutils incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service
or execute arbitrary code. (CVE-2017-5331, CVE-2017-5332, CVE-2017-5333)
Jerzy Kramarz discovered that icoutils incorrectly handled certain files.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code. (CVE-2017-6009, CVE-2017-6010)
Jerzy Kramarz discovered that icoutils incorrectly handled certain files.
An attacker could possibly use this issue
Ubuntu
icoutils vulnerabilities
vendor_ubuntu·2017-03-13
CVE-2017-6009 icoutils vulnerabilities
Title: icoutils vulnerabilities
Summary: icoutils could be made to crash or run programs as your login if it opened
a specially crafted file.
Jerzy Kramarz discovered that icoutils incorrectly handled memory when
processing certain files. If a user or automated system were tricked into
opening a specially crafted file, an attacker could cause icoutils to
crash, resulting in a denial of service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
icoutils: Buffer overflow in the extract_icons function
vendor_redhat·2017-02-03·CVSS 5.5
CVE-2017-6010 [MEDIUM] CWE-190 icoutils: Buffer overflow in the extract_icons function
icoutils: Buffer overflow in the extract_icons function
An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "extract_icons" function in the "extract.c" source file. This issue can be triggered by processing a corrupted ico file and will result in an icotool crash.
A vulnerability was found in icoutils, in the icotool program. An attacker could create a crafted ICO or CUR file that, when read by icotool, could result in memory corruption leading to a crash or potential code execution.
Debian
CVE-2017-6010: icoutils - An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in th...
vendor_debian·2017·CVSS 5.5
CVE-2017-6010 [MEDIUM] CVE-2017-6010: icoutils - An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in th...
An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "extract_icons" function in the "extract.c" source file. This issue can be triggered by processing a corrupted ico file and will result in an icotool crash.
Scope: local
bookworm: resolved (fixed in 0.31.2-1)
bullseye: resolved (fixed in 0.31.2-1)
forky: resolved (fixed in 0.31.2-1)
sid: resolved (fixed in 0.31.2-1)
trixie: resolved (fixed in 0.31.2-1)
GHSA
GHSA-7w3j-wxh4-94xw: An issue was discovered in icoutils 0
ghsa_unreviewed·2022-05-14
CVE-2017-6010 [MEDIUM] CWE-119 GHSA-7w3j-wxh4-94xw: An issue was discovered in icoutils 0
An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "extract_icons" function in the "extract.c" source file. This issue can be triggered by processing a corrupted ico file and will result in an icotool crash.
OSV
icoutils vulnerabilities
osv·2021-01-18·CVSS 8.8
CVE-2017-5208 [HIGH] icoutils vulnerabilities
icoutils vulnerabilities
Choongwoo Han discovered that icoutils incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service
or execute arbitrary code. (CVE-2017-5208)
It was discovered that icoutils incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service
or execute arbitrary code. (CVE-2017-5331, CVE-2017-5332, CVE-2017-5333)
Jerzy Kramarz discovered that icoutils incorrectly handled certain files.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code. (CVE-2017-6009, CVE-2017-6010)
Jerzy Kramarz discovered that icoutils incorrectly handled certain files.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2017-6011)
OSV
CVE-2017-6010: An issue was discovered in icoutils 0
osv·2017-02-16·CVSS 5.5
CVE-2017-6010 [MEDIUM] CVE-2017-6010: An issue was discovered in icoutils 0
An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "extract_icons" function in the "extract.c" source file. This issue can be triggered by processing a corrupted ico file and will result in an icotool crash.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 icoutils: various flaws [epel-6]
bugzilla·2017-03-09·CVSS 5.5
CVE-2017-6009 [MEDIUM] CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 icoutils: various flaws [epel-6]
CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 icoutils: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg
Bugzilla
CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 icoutils: various flaws [fedora-all]
bugzilla·2017-02-16·CVSS 5.5
CVE-2017-6009 [MEDIUM] CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 icoutils: various flaws [fedora-all]
CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 icoutils: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
Bugzilla
CVE-2017-6010 icoutils: Buffer overflow in the extract_icons function
bugzilla·2017-02-16·CVSS 5.5
CVE-2017-6010 [MEDIUM] CVE-2017-6010 icoutils: Buffer overflow in the extract_icons function
CVE-2017-6010 icoutils: Buffer overflow in the extract_icons function
An issue was discovered in icoutils. A buffer overflow was observed in the "extract_icons" function in the "extract.c" sourcefile. This issue can be triggered by processing a corrupted ico file and will result in an icotool crash.
Discussion:
Created attachment 1250878
Reporter writeup
---
Created icoutils tracking bugs for this issue:
Affects: fedora-all [bug 1422911]
---
Created attachment 1256393
fixes memory issue triggered by number overflow
This patch should fix the issue.
---
Hi Martin
Has this been forwarded to upstream?
Regards,
Salvatore
---
Hi Salvatore, yes, I sent the patches to upstream but haven't received a reply yet.
---
Created icoutils tracking bugs for this issue:
Affects: epel-6 [bu
http://rhn.redhat.com/errata/RHSA-2017-0837.htmlhttp://www.debian.org/security/2017/dsa-3807http://www.securityfocus.com/bid/96288https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854054https://security.gentoo.org/glsa/201801-12http://rhn.redhat.com/errata/RHSA-2017-0837.htmlhttp://www.debian.org/security/2017/dsa-3807http://www.securityfocus.com/bid/96288https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854054https://security.gentoo.org/glsa/201801-12
2017-02-16
Published