{"vuid":"VU#557948","idnumber":"557948","name":"Mozilla products vulnerable to heap overflow via specially crafted GIF file","keywords":["Mozilla","Firefox","Thunderbird","heap overflow","arbitrary code execution","remote compromise","GIF file","Netscape extension 2"],"overview":"Mozilla products, including the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird, are vulnerable to a heap-based overflow in the GIF image-processing routines.","clean_desc":"The Mozilla project produces an application suite (Mozilla Suite), web browsers (Mozilla Firefox), email software (Mozilla Thunderbird), and other products. An image processing library used in some Mozilla products contains a flaw in Graphic Interchange Format (GIF) file handling. A Netscape-specific extension block (Netscape extension 2) may be present in the GIF file that contains a 32-bit integer. This integer is used to determine image buffer space. An attacker may misrepresent this value to exploit a heap overflow condition. The attacker can craft a special GIF file that, when viewed, induces a heap overflow in the Mozilla product that is processing the GIF file.","impact":"A remote unauthenticated attacker can execute arbitrary code as the local user if the user loads a specially crafted GIF file (for example, a GIF-format image in a web page or email message).","resolution":"Apply an update\nThe vulnerability is addressed in the following Mozilla product releases: Mozilla Suite 1.7.6\nMozilla Firefox 1.0.2\nMozilla Thunderbird 1.0.2 Note that other products that use the same image processing library may also be affected.","workarounds":"The Mozilla project recommends turning off image loading as a temporary workaround until an update is applied.","sysaffected":"","thanks":"Thanks to Mark Dowd and the rest of ISS X-Force for reporting this vulnerability.","author":"This document was written by Ken MacInnis.","public":["http://xforce.iss.net/xforce/alerts/id/191","http://www.mozilla.org/security/announce/mfsa2005-30.html","http://secunia.com/advisories/14685/","http://secunia.com/advisories/14684/","http://secunia.com/advisories/14654/"],"cveids":["CVE-2005-0399"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-03-23T21:58:13Z","publicdate":"2005-03-23T00:00:00Z","datefirstpublished":"2005-03-30T16:03:59Z","dateupdated":"2005-12-22T20:14:30Z","revision":35,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"11","cam_population":"10","cam_impact":"18","cam_easeofexploitation":"10","cam_attackeraccessrequired":"20","cam_scorecurrent":"17.55","cam_scorecurrentwidelyknown":"20.925","cam_scorecurrentwidelyknownexploited":"34.425","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":17.55,"vulnote":null}