{"vuid":"VU#551436","idnumber":"551436","name":"Mozilla Firefox SVG viewer vulnerable to integer overflow","keywords":["Mozilla","Firefox","buffer overflow","SVG","wide stroke widths","seccode","INT30-C"],"overview":"The Mozilla SVG viewer contains an integer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code, or create a denial-of-service condition.","clean_desc":"Scalable Vector Graphics (SVG) is an XML markup language for describing and displaying animated or static vector graphics. Mozilla Firefox includes a native SVG viewer, other Mozilla projects may use the Adobe SVG viewer. The Mozilla SVG viewer fails to properly validate size parameters supplied to a memory allocation routine allowing an integer overflow to occur. This vulnerability could cause an undersized buffer to be allocated. When data is copied to that buffer,  a heap-based buffer overflow may occur. An attacker may be able to exploit this vulnerability by convincing a user to go to a website that hosts a specially crafted SVG file. This vulnerability occurred as a result of failing to comply with rule INT30-C of the CERT C Programming Language Secure Coding Standard.","impact":"A remote, unauthenticated attacker may be able to execute arbitrary code, or create a denial-of-service condition.","resolution":"Upgrade\nSee Mozilla Foundation Security Advisory 2007-01 for information about affected clients.","workarounds":"Disable SVG Until updates can be applied, disabling SVG in Mozilla Firefox may mitigate this vulnerability. See the Mozilla about:config guide for information on how to disable SVG.","sysaffected":"","thanks":"Mozilla credits Tom Ferris for reporting this vulnerability.","author":"This document was written by Ryan Giobbi.","public":["http://www.mozilla.org/security/announce/2007/mfsa2007-01.html","http://www.mozilla.org/projects/svg/","http://www.adobe.com/svg/","http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries#Miscellaneous","http://en.wikipedia.org/wiki/Scalable_Vector_Graphics","http://www.w3.org/TR/SVG/painting.html#StrokeProperties","http://secunia.com/advisories/24238/","http://secunia.com/advisories/24287/","http://secunia.com/advisories/24205/","http://secunia.com/advisories/24290/","http://secunia.com/advisories/24252/","http://secunia.com/advisories/24320/","http://secunia.com/advisories/24328/","http://secunia.com/advisories/24293/","http://secunia.com/advisories/24327/","http://secunia.com/advisories/24343/","http://secunia.com/advisories/24333/","http://secunia.com/advisories/24393/","http://secunia.com/advisories/24352/","http://www.ciac.org/ciac/bulletins/r-164.shtml","http://secunia.com/advisories/24406/","http://secunia.com/advisories/24384/","http://secunia.com/advisories/24410/","http://secunia.com/advisories/24389/","http://secunia.com/advisories/24455/","http://secunia.com/advisories/24456/","http://secunia.com/advisories/24457/","http://www.securityfocus.com/bid/22694","http://secunia.com/advisories/24437/"],"cveids":["CVE-2007-0776"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2007-02-23T20:53:01Z","publicdate":"2007-02-23T00:00:00Z","datefirstpublished":"2007-02-25T14:33:15Z","dateupdated":"2008-07-25T12:26:53Z","revision":71,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"4","cam_population":"14","cam_impact":"14","cam_easeofexploitation":"14","cam_attackeraccessrequired":"18","cam_scorecurrent":"22.2264","cam_scorecurrentwidelyknown":"22.2264","cam_scorecurrentwidelyknownexploited":"40.7484","ipprotocol":"","cvss_accessvector":"--","cvss_accesscomplexity":"--","cvss_authentication":null,"cvss_confidentialityimpact":"--","cvss_integrityimpact":"--","cvss_availabilityimpact":"--","cvss_exploitablity":null,"cvss_remediationlevel":"ND","cvss_reportconfidence":"ND","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"ND","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"0","cvss_basevector":"AV:--/AC:--/Au:--/C:--/I:--/A:--","cvss_temporalscore":"0","cvss_environmentalscore":"0","cvss_environmentalvector":"CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND","metric":22.2264,"vulnote":null}