GEGL gegl_buffer_iterate_read_simple Function Remote Denial of Service Vulnerability [CVE-2018-10114]
CVE Number – CVE-2018-10114
A vulnerability in the Portable PixMap (PPM) File Handler component of the Generic Graphics Library (GEGL) could allow an unauthenticated, remote attacker to cause a denial of service condition on a targeted system.
The vulnerability is due to improper restrictions of memory allocation in the ppm_load_read_header function as defined in the operations/external/ppm-load.c source code file of the affected software. An attacker could exploit the vulnerability by persuading a user to access a PPM file that submits malicious input to the affected software. A successful exploit could trigger an out-of-bounds write condition in the gegl_buffer_iterate_read_simple function in the buffer/gegl-buffer-access.c source code file, which could cause the affected software to crash, resulting in a DoS condition on the affected system.
Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.
The GNOME Project has confirmed the vulnerability and released a software patch.
-
To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a file that submits malicious input to the affected software.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
Administrators are advised to monitor critical systems.
-
The GNOME Project has released a bug report at the following link: Bug 795248
-
The GNOME Project has released a software patch at the following link: ppm-load: limit max permitted buffer allocation to 2GB
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.