xzgv is "a picture viewer for X, with a thumbnail-based file selector. It uses GTK+ and Imlib 1.x. Most file formats are supported, and the thumbnails used are compatible with xv, zgv and the Gimp".
Remote exploitation of an integer overflow vulnerability in various vendors' implementations of the read_prf_file method in the xzgv program could allow for arbitrary code execution. The vulnerability specifically exists due to an integer overflow while allocating memory for an image file.
The vulnerable code is as follows: xzgv-0.8/src/readprf.c:
if((*theimageptr=malloc(width*height*3))==NULL)
[...]
The values width and height are integers that are ultimately supplied by the image file. With certain values for height and width set in an image file, not enough memory is allocated due to an integer overflow. The under allocated memory is later written to, causing heap corruption and possible arbitrary code execution with the privileges of the user viewing the image file.
Analysis:
Exploitation allows attackers to gain the privileges of the user viewing the image file. If a user can be convinced to view a malicious file, this vulnerability can be exploited remotely.
Detection:
The following vendors have confirmed the availability of susceptible xzgv packages within their respective operating system distributions:
SuSE
Debian
Gentoo
FreeBSD
Workaround:
Only accept image files from trusted sources. Use a different image viewer program to view untrusted images.
