National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2007-5378 Detail

Description

Buffer overflow in the FileReadGIF function in tkImgGIF.c for Tk Toolkit 8.4.12 and earlier, and 8.3.5 and earlier, allows user-assisted attackers to cause a denial of service (segmentation fault) via an animated GIF in which the first subimage is smaller than a subsequent subimage, which triggers the overflow in the ReadImage function, a different vulnerability than CVE-2007-5137.

Source:  MITRE      Last Modified:  10/11/2007

Quick Info

CVE Dictionary Entry:
CVE-2007-5378
Original release date:
10/11/2007
Last revised:
09/28/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
4.3 MEDIUM
Vector:
(AV:N/AC:M/Au:N/C:N/I:N/A:P) (legend)
Impact Subscore:
2.9
Exploitability Subscore:
8.6
CVSS Version 2 Metrics:
Access Vector:
Network exploitable - Victim must voluntarily interact with attack mechanism
Access Complexity:
Medium
Authentication:
Not required to exploit
Impact Type:
Allows disruption of service

Vendor Statements (disclaimer)

Official Statement from Red Hat (10/16/2007)

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5378 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://sunsolve.sun.com/search/document.do?assetkey=1-26-237465-1 External Source SUNALERT 237465
http://www.attrition.org/pipermail/vim/2007-October/001826.html External Source VIM 20071012 clarification on multiple Tk overflow issues
http://www.debian.org/security/2007/dsa-1415 External Source DEBIAN DSA-1415
http://www.debian.org/security/2007/dsa-1416 External Source DEBIAN DSA-1416
http://www.debian.org/security/2009/dsa-1743 External Source DEBIAN DSA-1743
http://www.mandriva.com/security/advisories?name=MDKSA-2007:200 External Source MANDRIVA MDKSA-2007:200
http://www.redhat.com/support/errata/RHSA-2008-0134.html External Source REDHAT RHSA-2008:0134
http://www.redhat.com/support/errata/RHSA-2008-0135.html External Source REDHAT RHSA-2008:0135
http://www.securityfocus.com/archive/1/archive/1/493080/100/0/threaded External Source BUGTRAQ 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues
http://www.securityfocus.com/bid/26056 External Source BID 26056
http://www.ubuntu.com/usn/usn-529-1 External Source UBUNTU USN-529-1
http://www.vmware.com/security/advisories/VMSA-2008-0009.html External Source CONFIRM http://www.vmware.com/security/advisories/VMSA-2008-0009.html
http://www.vupen.com/english/advisories/2008/1456/references External Source VUPEN ADV-2008-1456
http://www.vupen.com/english/advisories/2008/1744 External Source VUPEN ADV-2008-1744
https://exchange.xforce.ibmcloud.com/vulnerabilities/37189 External Source XF tktoolkit-filereadgif-dos(37189)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9480 External Source OVAL oval:org.mitre.oval:def:9480
https://sourceforge.net/tracker/?func=detail&atid=112997&aid=1458234&group_id=12997 External Source CONFIRM https://sourceforge.net/tracker/?func=detail&atid=112997&aid=1458234&group_id=12997

References to Check Content

Identifier:
oval:org.mitre.oval:def:9480
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9480

Technical Details

Vulnerability Type (View All)

Change History 3 change records found - show changes