Vulnerability DatabaseCVE-2011-2896
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2011-2896
August 19, 2011
The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.
Related ResourcesĀ (35)
http://www.securityfocus.com/bid/49148
https://security-tracker.debian.org/tracker/CVE-2011-2896
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065527.html
http://secunia.com/advisories/45900
http://git.gnome.org/browse/gimp/commit/?id=376ad788c1a1c31d40f18494889c383f6909ebfc
https://bugzilla.redhat.com/show_bug.cgi?id=730338
http://secunia.com/advisories/46024
http://security.gentoo.org/glsa/glsa-201209-23.xml
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065550.html
http://secunia.com/advisories/45621
http://secunia.com/advisories/45948
http://www.ubuntu.com/usn/USN-1214-1
http://www.debian.org/security/2012/dsa-2426
http://www.mandriva.com/security/advisories?name=MDVSA-2011:167
http://www.securitytracker.com/id?1025929
http://secunia.com/advisories/50737
http://www.redhat.com/support/errata/RHSA-2011-1635.html
http://secunia.com/advisories/48308
http://www.openwall.com/lists/oss-security/2011/08/10/10
http://www.mandriva.com/security/advisories?name=MDVSA-2011:146
http://lists.fedoraproject.org/pipermail/package-announce/2011-August/064873.html
https://people.canonical.com/~ubuntu-security/cve/CVE-2011-2896
http://www.debian.org/security/2011/dsa-2354
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065539.html
http://rhn.redhat.com/errata/RHSA-2012-1181.html
http://www.ubuntu.com/usn/USN-1207-1
http://lists.fedoraproject.org/pipermail/package-announce/2011-August/064600.html
https://bugzilla.redhat.com/show_bug.cgi?id=727800
http://secunia.com/advisories/45945
http://cups.org/str.php?L3867
http://secunia.com/advisories/48236
http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7#c4
https://access.redhat.com/security/cve/CVE-2011-2896
http://rhn.redhat.com/errata/RHSA-2012-1180.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065651.html
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
CVSS v2
Base Score:
5.1
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Out-of-bounds Write
CWE-787
EPSS
Base Score:
7.22