[VIM] clarification on multiple Tk overflow issues

Steven M. Christey coley at mitre.org
Fri Oct 12 00:27:09 UTC 2007 

Ubuntu just informed CVE of an older variant of CVE-2007-5137.


CVE-2007-5378 - 8.4.12 and earlier

CVE-2007-5137 - only affects 8.4.13 through 8.4.15; this was an
incorrect or incomplete patch for CVE-2007-5378.

These issues might look the same.  My read on it is: for 5378, the
second frame is LARGER than the first; for 5137, the second frame is
SMALLER than the first.

Note that another ID, CVE-2007-4851, was found to be a duplicate of
CVE-2007-5137, so don't use 4851.


- Steve



======================================================
Name: CVE-2007-5137
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5137
Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=192539
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=541207
Reference: GENTOO:GLSA-200710-07
Reference: URL:http://security.gentoo.org/glsa/glsa-200710-07.xml
Reference: BID:25826
Reference: URL:http://www.securityfocus.com/bid/25826
Reference: SECUNIA:26942
Reference: URL:http://secunia.com/advisories/26942
Reference: SECUNIA:27086
Reference: URL:http://secunia.com/advisories/27086

Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl
(Tcl/Tk) 8.4.13 through 8.4.15 allows remote attackers to execute
arbitrary code via multi-frame interlaced GIF files in which later
frames are smaller than the first.  NOTE: this issue is due to an
incorrect patch for CVE-2007-5378.


======================================================
Name: CVE-2007-5378
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5378
Reference: CONFIRM:https://sourceforge.net/tracker/?func=detail&atid=112997&aid=1458234&group_id=12997

Buffer overflow in the FileReadGIF function in tkImgGIF.c for Tk
Toolkit 8.4.12 and earlier, and 8.3.5 and earlier, allows
user-assisted attackers to cause a denial of service (segmentation
fault) via an animated GIF in which the first subimage is smaller than
a subsequent subimage, which triggers the overflow in the ReadImage
function, a different vulnerability than CVE-2007-5137.

More information about the VIM mailing list