#2009-008 Dillo integer overflow Description: Dillo, an open source graphical web browser, suffers from an integer overflow which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. The vulnerability is triggered by HTML pages with embedded PNG images, the Png_datainfo_callback function does not properly validate the width and height of the image. Specific PNG images with large width and height can be crafted to trigger the vulnerability. Affected version: Dillo <= 2.1 Fixed version: Dillo >= 2.1.1 Credit: vulnerability report and PoC code received from Tielei Wang <wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS. CVE: CVE-2009-2294 Timeline: 2009-05-21: vulnerability reported received 2009-06-18: contacted dillo maintainer 2009-06-18: maintainer requests PoC 2009-06-19: PoC is supplied 2009-06-19: maintainer provides patch 2009-06-24: revised patch is provided after reporter feedback 2009-06-25: patch is confirmed, maintainer requests one week of time to investigate further areas of the browser 2009-07-01: dillo developer proposes security release coordination 2009-07-03: advisory release Permalink: http://www.ocert.org/advisories/ocert-2009-008.html -- Andrea Barisani | Founder & Project Coordinator oCERT | Open Source Computer Emergency Response Team <lcars@xxxxxxxxx> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"