Sign-up

ID

VAR-200604-0272


CVE

CVE-2006-1988


TITLE

Apple Mac OS X Multiple heap overflow vulnerabilities

Trust: 0.6

sources: CNNVD: CNNVD-200604-428

DESCRIPTION

The WebTextRenderer(WebInternal) _CG_drawRun:style:geometry: function in Apple Safari 2.0.3 allows remote attackers to cause a denial of service (application crash) via an HTML LI tag with a large VALUE attribute (list item number), which triggers a null dereference in QPainter::drawText, probably due to a failed memory allocation that uses the VALUE. Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X and various applications including Safari, Preview, Finder, QuickTime, and BOMArchiveHelper. A remote attacker may exploit these issues to execute arbitrary code and/or trigger a denial-of-service condition. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. When parsing malformed .tiff graphic files, LZWDecodeVector(), _cg_TIFFSetField () or PredictorVSetField () functions do not correctly parse the malformed data, resulting in the failure to open the graphic Application crashes. The vulnerability is triggered by the core .tiff parsing engine, so Preview, Finder, QuickTime, and Safari are all possible attack vectors. 2 When decompressing a specially crafted .zip file, the BOMStackPop () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 4 When decompressing a specially crafted .bmp file, the ReadBMP () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 5 When decompressing a specially crafted .gif file, the CFAllocatorAllocate () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 1) An error exists in the "BOMStackPop()" function in the BOMArchiveHelper when decompressing malformed ZIP archives. 2) Some errors exists in the "KWQListIteratorImpl()", "drawText()", and "objc_msgSend_rtp()" functions in Safari when processing malformed HTML tags. 3) An error exists in the "ReadBMP()" function when processing malformed BMP images and can be exploited via e.g. Safari or the Preview application. 4) An error exists in the "CFAllocatorAllocate()" function when processing malformed GIF images and can be exploited via e.g. Safari when a user visits a malicious web site. 5) Two errors exists in the " _cg_TIFFSetField ()" and "PredictorVSetField()" functions when processing malformed TIFF images and can be exploited via e.g. The vulnerabilities have been reported in version 10.4.6. Other versions may also be affected. SOLUTION: Do not visit untrusted web sites, and do not open ZIP archives or images originating from untrusted sources. PROVIDED AND/OR DISCOVERED BY: Tom Ferris ORIGINAL ADVISORY: Tom Ferris: http://www.security-protocols.com/sp-x25-advisory.php http://www.security-protocols.com/sp-x26-advisory.php http://www.security-protocols.com/sp-x27-advisory.php http://www.security-protocols.com/sp-x28-advisory.php http://www.security-protocols.com/sp-x29-advisory.php http://www.security-protocols.com/sp-x30-advisory.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.35

sources: NVD: CVE-2006-1988 // BID: 17634 // VULHUB: VHN-18096 // PACKETSTORM: 45638

AFFECTED PRODUCTS

vendor:applemodel:safariscope:eqversion:2.0.3

Trust: 1.9

vendor:applemodel:safariscope:eqversion:2.0.2

Trust: 1.9

vendor:applemodel:safariscope:eqversion:2.0.1

Trust: 1.9

vendor:applemodel:safariscope:eqversion:2.0

Trust: 1.6

vendor:applemodel:mobile safariscope:eqversion:0

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.9

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3

Trust: 0.3

sources: BID: 17634 // NVD: CVE-2006-1988 // CNNVD: CNNVD-200604-428

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2006-1988
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-200604-428
value: MEDIUM

Trust: 0.6

VULHUB: VHN-18096
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

VULHUB: VHN-18096
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-18096 // NVD: CVE-2006-1988 // CNNVD: CNNVD-200604-428

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-1988

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200604-428

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200604-428

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2006-1988

EXTERNAL IDS
db:BIDid:17634
Trust: 2.0
db:SECUNIAid:19686
Trust: 1.8
db:OSVDBid:24823
Trust: 1.7
db:VUPENid:ADV-2006-1452
Trust: 1.7
db:NVDid:CVE-2006-1988
Trust: 1.7
db:CNNVDid:CNNVD-200604-428
Trust: 0.7
db:XFid:25946
Trust: 0.6
db:VULHUBid:VHN-18096
Trust: 0.1
db:PACKETSTORMid:45638
Trust: 0.1
sources:
            
            
            VULHUB: VHN-18096 // 
            
            
            
            BID: 17634 // 
            
            
            
            PACKETSTORM: 45638 // 
            
            
            
            NVD: CVE-2006-1988 // 
            
            
            
            CNNVD: CNNVD-200604-428

REFERENCES
url:http://www.security-protocols.com/sp-x26-advisory.php
Trust: 2.1
url:http://www.securityfocus.com/bid/17634
Trust: 1.7
url:http://security-protocols.com/poc/sp-x26-2.html
Trust: 1.7
url:http://www.osvdb.org/24823
Trust: 1.7
url:http://secunia.com/advisories/19686
Trust: 1.7
url:http://www.vupen.com/english/advisories/2006/1452
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/25946
Trust: 1.1
url:http://xforce.iss.net/xforce/xfdb/25946
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2006/1452
Trust: 0.6
url:http://www.security-protocols.com/sp-x29-advisory.php
Trust: 0.4
url:http://www.security-protocols.com/sp-x30-advisory.php
Trust: 0.4
url:http://www.security-protocols.com/sp-x28-advisory.php
Trust: 0.4
url:http://www.security-protocols.com/sp-x27-advisory.php
Trust: 0.4
url:http://www.security-protocols.com/sp-x25-advisory.php
Trust: 0.4
url:http://docs.info.apple.com/article.html?artnum=303737
Trust: 0.3
url:http://www.security-protocols.com/sp-x24-advisory.php
Trust: 0.3
url:http://www.info.apple.com/usen/security/security_updates.html
Trust: 0.3
url:http://www.security-protocols.com/modules.php?name=news&file=article&sid=3233
Trust: 0.3
url:http://www.apple.com/macosx/
Trust: 0.3
url:http://www.security-protocols.com/modules.php?name=news&file=article&sid=3236
Trust: 0.3
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/19686/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/product/96/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-18096 // 
            
            
            
            BID: 17634 // 
            
            
            
            PACKETSTORM: 45638 // 
            
            
            
            NVD: CVE-2006-1988 // 
            
            
            
            CNNVD: CNNVD-200604-428

CREDITS
Tom Ferris tommy@security-protocols.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200604-428

SOURCES
db:VULHUBid:VHN-18096
db:BIDid:17634
db:PACKETSTORMid:45638
db:NVDid:CVE-2006-1988
db:CNNVDid:CNNVD-200604-428

LAST UPDATE DATE
2023-12-18T10:56:34.990000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-18096date:2017-07-20T00:00:00
db:BIDid:17634date:2006-05-17T19:59:00
db:NVDid:CVE-2006-1988date:2017-07-20T01:31:05.100
db:CNNVDid:CNNVD-200604-428date:2006-04-25T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-18096date:2006-04-21T00:00:00
db:BIDid:17634date:2006-04-20T00:00:00
db:PACKETSTORMid:45638date:2006-04-25T22:06:23
db:NVDid:CVE-2006-1988date:2006-04-21T22:02:00
db:CNNVDid:CNNVD-200604-428date:2005-11-07T00:00:00