Bug#330894: inkscape: Arbitrary code execution when opening a malicious file

Fri, 30 Sep 2005 03:48:13 -0700 

Subject: inkscape: Arbitrary code execution opening a file
Package: inkscape
Version: 0.41-4.99.sarge0
Severity: grave
Justification: user security hole

Inkscape is vulnerable to, almost, one buffer overflow that may allow
arbitrary code execution. I contacted the Inkscape team but, at the
moment, there is no patch for the issue.

Attached goes a Proof Of Concept.

NOTE: I think the problem may not be exploitable because you need to
write a shellcode using only valid XML characters.

Regards,
Joxean Koret


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages inkscape depends on:
ii  libatk1.0-0            1.8.0-4           The ATK accessibility
toolkit
ii  libc6                  2.3.2.ds1-22      GNU C Library: Shared
libraries an
ii  libfontconfig1         2.3.1-2           generic font configuration
library
ii  libfreetype6           2.1.7-2.4         FreeType 2 font engine,
shared lib
ii  libgc1                 1:6.4-1           conservative garbage
collector for
ii  libgcc1                1:3.4.3-13        GCC support library
ii  libglib2.0-0           2.6.4-1           The GLib library of C
routines
ii  libglibmm-2.4-1        2.6.1-1           C++ wrapper for the GLib
toolkit (
ii  libgtk2.0-0            2.6.4-3           The GTK+ graphical user
interface 
ii  libgtkmm-2.4-1         2.4.10-1          C++ wrappers for GTK+ 2.4
(shared 
ii  libpango1.0-0          1.8.1-1           Layout and rendering of
internatio
ii  libpng12-0             1.2.8rel-1        PNG library - runtime
ii  libpopt0               1.7-5             lib for parsing cmdline
parameters
ii  libsigc++-2.0-0        2.0.10-1          type-safe Signal Framework
for C++
ii  libstdc++5             1:3.3.5-13        The GNU Standard C++
Library v3
ii  libx11-6               4.3.0.dfsg.1-14   X Window System protocol
client li
ii  libxft2                2.1.7-1           FreeType-based font drawing
librar
ii  libxml2                2.6.16-7          GNOME XML library
ii  libxrender1            1:0.8.3-1         X Rendering Extension
client libra
ii  libxslt1.1             1.1.12-8          XSLT processing library -
runtime 
ii  xlibs                  4.3.0.dfsg.1-14   X Keyboard Extension (XKB)
configu
ii  zlib1g                 1:1.2.2-4.sarge.2 compression library -
runtime

-- no debconf information

Attachment: poc.svg
Description: image/svg

Attachment: signature.asc
Description: Esta parte del mensaje está firmada digitalmente

Reply via email to