MidnightBSD

Advisories for icoutils_project

CVE-2017-5208 MEDIUM

Integer overflow in the wrestool program in icoutils before 0.31.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted executable, which triggers a denial of service (application crash) or the possibility of execution of arbitrary code.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
icoutils_project icoutils *
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_desktop 7.0
CVE-2017-5331 MEDIUM

Integer overflow in the check_offset function in b/wrestool/fileread.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
icoutils_project icoutils *
opensuse opensuse 13.2
opensuse leap 42.2
canonical ubuntu_linux 12.04
debian debian_linux 8.0
debian debian_linux 9.0
opensuse leap 42.1
CVE-2017-5332 MEDIUM

The extract_group_icon_cursor_resource in wrestool/extract.c in icoutils before 0.31.1 can access unallocated memory, which allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
icoutils_project icoutils *
redhat enterprise_linux 7.0
debian debian_linux 10.0
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 12.04
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_tus 7.7
opensuse opensuse 13.2
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_eus 7.7
opensuse leap 42.2
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
debian debian_linux 9.0
opensuse leap 42.1
redhat enterprise_linux_desktop 7.0
CVE-2017-5333 MEDIUM

Integer overflow in the extract_group_icon_cursor_resource function in b/wrestool/extract.c in icoutils before 0.31.1 allows local users to cause a denial of service (process crash) or execute arbitrary code via a crafted executable file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
icoutils_project icoutils *
redhat enterprise_linux 7.0
debian debian_linux 10.0
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 12.04
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_tus 7.7
opensuse opensuse 13.2
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_eus 7.7
opensuse leap 42.2
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
debian debian_linux 9.0
opensuse leap 42.1
redhat enterprise_linux_desktop 7.0
CVE-2017-6009 MEDIUM

An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "decode_ne_resource_id" function in the "restable.c" source file. This is happening because the "len" parameter for memcpy is not checked for size and thus becomes a negative integer in the process, resulting in a failed memcpy. This affects wrestool.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 7.0
icoutils_project icoutils 0.31.1
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
debian debian_linux 9.0
redhat enterprise_linux_desktop 7.0
CVE-2017-6010 MEDIUM

An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "extract_icons" function in the "extract.c" source file. This issue can be triggered by processing a corrupted ico file and will result in an icotool crash.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 7.0
icoutils_project icoutils 0.31.1
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
debian debian_linux 9.0
redhat enterprise_linux_desktop 7.0
CVE-2017-6011 MEDIUM

An issue was discovered in icoutils 0.31.1. An out-of-bounds read leading to a buffer overflow was observed in the "simple_vec" function in the "extract.c" source file. This affects icotool.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_workstation 7.0
icoutils_project icoutils 0.31.1
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_server_aus 7.4
debian debian_linux 9.0
redhat enterprise_linux_desktop 7.0