CVE-2017-5332: Buffer Overflow
First published: Wed Jan 11 2017(Updated: )
A vulnerability was found in icoutils in extract.c. It is possible to access unallocated memory via wrestool while parsing maliciously crafted file which would make the application crash or possibly allow code execution. References: <a href="http://seclists.org/oss-sec/2017/q1/56">http://seclists.org/oss-sec/2017/q1/56</a> Upstream patch: <a href="http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a">http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a</a>
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/icoutils | <0.31.1 | 0.31.1 |
| icoutils | <0.31.1 | |
| Red Hat Enterprise Linux | =7.0 | |
| redhat enterprise Linux desktop | =7.0 | |
| redhat enterprise Linux server aus | =7.3 | |
| redhat enterprise Linux server aus | =7.4 | |
| redhat enterprise Linux server aus | =7.6 | |
| redhat enterprise Linux server aus | =7.7 | |
| redhat enterprise Linux server eus | =7.3 | |
| redhat enterprise Linux server eus | =7.4 | |
| redhat enterprise Linux server eus | =7.5 | |
| redhat enterprise Linux server eus | =7.6 | |
| redhat enterprise Linux server eus | =7.7 | |
| redhat enterprise Linux server tus | =7.3 | |
| redhat enterprise Linux server tus | =7.6 | |
| redhat enterprise Linux server tus | =7.7 | |
| redhat enterprise Linux workstation | =7.0 | |
| Ubuntu | =12.04 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| openSUSE | =42.1 | |
| openSUSE | =42.2 | |
| openSUSE | =13.2 |
Remedy
https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://seclists.org/oss-sec/2017/q1/56
- http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1412265
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1412266
- https://access.redhat.com/security/cve/CVE-2017-5333
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1412259
- https://rhn.redhat.com/errata/RHSA-2017-0837.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1412263
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html
- http://rhn.redhat.com/errata/RHSA-2017-0837.html
- http://www.debian.org/security/2017/dsa-3765
- http://www.openwall.com/lists/oss-security/2017/01/11/3
- http://www.securityfocus.com/bid/95380
- http://www.ubuntu.com/usn/USN-3178-1
- https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
Frequently Asked Questions
What is the severity of CVE-2017-5332?
CVE-2017-5332 has a medium severity level as it can lead to application crashes or even allow code execution.
Which versions of icoutils are affected by CVE-2017-5332?
CVE-2017-5332 affects icoutils versions below 0.31.1.
How do I fix CVE-2017-5332?
To fix CVE-2017-5332, you need to upgrade icoutils to version 0.31.1 or later.
What potential impact does CVE-2017-5332 have on my system?
CVE-2017-5332 can allow unauthorized code execution and cause crashes within applications using the vulnerable icoutils tool.
Is there a workaround for CVE-2017-5332 if I cannot upgrade?
There is no specific workaround for CVE-2017-5332; upgrading to the patched version is the recommended solution.
- agent/type
- agent/first-publish-date
- agent/severity
- agent/references
- agent/remedy
- agent/author
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-5332
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/icoutils project
- canonical/icoutils
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.3
- version/redhat enterprise linux server aus/7.4
- version/redhat enterprise linux server aus/7.6
- version/redhat enterprise linux server aus/7.7
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.3
- version/redhat enterprise linux server eus/7.4
- version/redhat enterprise linux server eus/7.5
- version/redhat enterprise linux server eus/7.6
- version/redhat enterprise linux server eus/7.7
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.3
- version/redhat enterprise linux server tus/7.6
- version/redhat enterprise linux server tus/7.7
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0
- vendor/opensuse
- canonical/opensuse
- version/opensuse/42.1
- version/opensuse/42.2
- version/opensuse/13.2