Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.

New Qt packages are available for Slackware 9.0, 9.1, 10.0, and
-current to fix security issues. Bugs in the routines that handle PNG, BMP, GIF, and JPEG images may allow an attacker to cause unauthorized code to execute when a specially crafted image file is processed.
These flaws may also cause crashes that lead to a denial of service.

Several vulnerabilities were discovered in recent versions of Qt, a commonly used graphic widget set, used in KDE for example. The first problem allows an attacker to execute arbitrary code, while the other two only seem to pose a denial of service danger. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities :

  - CAN-2004-0691 :
    Chris Evans has discovered a heap-based overflow when     handling 8-bit RLE encoded BMP files.

  - CAN-2004-0692 :

    Marcus Meissner has discovered a crash condition in the     XPM handling code, which is not yet fixed in Qt 3.3.

  - CAN-2004-0693 :

    Marcus Meissner has discovered a crash condition in the     GIF handling code, which is not yet fixed in Qt 3.3.

The remote host is affected by the vulnerability described in GLSA-200408-20 (Qt: Image loader overflows)

    There are several unspecified bugs in the QImage class which may cause     crashes or allow execution of arbitrary code as the user running the Qt     application. These bugs affect the PNG, XPM, BMP, GIF and JPEG image     types.
  Impact :

    An attacker may exploit these bugs by causing a user to open a     carefully-constructed image file in any one of these formats. This may     be accomplished through e-mail attachments (if the user uses KMail), or     by simply placing a malformed image on a website and then convicing the     user to load the site in a Qt-based browser (such as Konqueror).
  Workaround :

    There is no known workaround at this time. All users are encouraged to     upgrade to the latest available version of Qt.

During a security audit, Chris Evans discovered a heap overflow in the BMP image decoder in Qt versions prior to 3.3.3. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with Qt to crash or possibly execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0691 to this issue.

Additionally, various flaws were discovered in the GIF, XPM, and JPEG decoders in Qt versions prior to 3.3.3. An attacker could create carefully crafted image files in such a way that it could cause an application linked against Qt to crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0692 and CVE-2004-0693 to these issues.

Users of Qt should update to these updated packages which contain backported patches and are not vulnerable to these issues.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Qt contains several vulnerabilities related to image loading, including possible crashes when loading corrupt GIF, BMP, or JPEG images. Most seriously, Chris Evans reports that the BMP crash is actually due to a heap buffer overflow. It is believed that an attacker may be able to construct a BMP image that could cause a Qt-using application to execute arbitrary code when it is loaded.

Chris Evans discovered a heap-based overflow in the QT library when handling 8-bit RLE encoded BMP files. This vulnerability could allow for the compromise of the account used to view or browse malicious BMP files. On subsequent investigation, it was also found that the handlers for XPM, GIF, and JPEG image types were also faulty.

These problems affect all applications that use QT to handle image files, such as QT-based image viewers, the Konqueror web browser, and others.

The updated packages have been patched to correct these problems.

Updated qt packages that fix security issues in several of the image decoders are now available.

Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System.

During a security audit, Chris Evans discovered a heap overflow in the BMP image decoder in Qt versions prior to 3.3.3. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with Qt to crash or possibly execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0691 to this issue.

Additionally, various flaws were discovered in the GIF, XPM, and JPEG decoders in Qt versions prior to 3.3.3. An attacker could create carefully crafted image files in such a way that it could cause an application linked against Qt to crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0692 and CVE-2004-0693 to these issues.

Users of Qt should update to these updated packages which contain backported patches and are not vulnerable to these issues.

The remote host is missing the patch for the advisory SUSE-SA:2004:027 (qt3/qt3-non-mt/qt3-32bit/qt3-static).


The QT-library is an environment for GUI-programming and is used in various well-known projects, like KDE.

There is a heap overflow in the BMP image format parser.  An attacker, exploiting this flaw, would need to be able to coerce a local user or program to process a specially crafted image file.  Upon successful exploitation, the attacker would be able to execute arbitrary code.

In addition, there are 2 distinct flaws within the XPM parser which, when exploited, lead to a Denial of Service (DoS).

ID	Name	Product	Family	Severity
18767	Slackware 10.0 / 9.0 / 9.1 / current : Qt (SSA:2004-236-01)	Nessus	Slackware Local Security Checks	high
15379	Debian DSA-542-1 : qt - unsanitised input	Nessus	Debian Local Security Checks	high
14576	GLSA-200408-20 : Qt: Image loader overflows	Nessus	Gentoo Local Security Checks	high
14349	Fedora Core 2 : qt-3.3.3-0.1 (2004-271)	Nessus	Fedora Local Security Checks	high
14348	Fedora Core 1 : qt-3.1.2-14.2 (2004-270)	Nessus	Fedora Local Security Checks	high
14340	FreeBSD : qt -- image loader vulnerabilities (ebffe27a-f48c-11d8-9837-000c41e2cdad)	Nessus	FreeBSD Local Security Checks	high
14334	Mandrake Linux Security Advisory : qt3 (MDKSA-2004:085)	Nessus	Mandriva Local Security Checks	high
14326	RHEL 2.1 / 3 : qt (RHSA-2004:414)	Nessus	Red Hat Local Security Checks	high
14322	SUSE-SA:2004:027: qt3/qt3-non-mt/qt3-32bit/qt3-static	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2004-0691

high

Tenable Plugins

high

high

high

high

high

high

high

high

high