CVE-2019-5086

NameCVE-2019-5086
DescriptionAn exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools, version 1.0.7. An integer overflow can occur while walking through tiles that could be exploited to corrupt memory and execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2553-1
Debian Bugs945317

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xcftools (PTS)buster1.0.7-6+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xcftoolssourcestretch1.0.7-6+deb9u1DLA-2553-1
xcftoolssourcebuster1.0.7-6+deb10u1
xcftoolssource(unstable)1.0.7-6.1945317

Notes

https://github.com/j-jorge/xcftools/issues/12
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0878

Search for package or bug name: Reporting problems