| Name | CVE-2017-5332 |
| Description | The extract_group_icon_cursor_resource in wrestool/extract.c in icoutils before 0.31.1 can access unallocated memory, which allows local users to cause a denial of service (process crash) and execute arbitrary code via a crafted executable. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-789-1, DSA-3765-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| icoutils (PTS) | bullseye | 0.32.3-3 | fixed |
| bookworm | 0.32.3-4 | fixed | |
| forky, sid, trixie | 0.32.3-6 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| icoutils | source | wheezy | 0.29.1-5deb7u1 | DLA-789-1 | ||
| icoutils | source | jessie | 0.31.0-2+deb8u2 | DSA-3765-1 | ||
| icoutils | source | (unstable) | 0.31.1-1 |
https://bugzilla.redhat.com/show_bug.cgi?id=1249276
Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a
https://www.openwall.com/lists/oss-security/2017/01/10/4
CVE for "all of 1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a and also the index correction in
1a108713ac26215c7568353f6e02e727e6d4b24a."