SB2013122801 - Multiple vulnerabilities in IrfanView
Published: December 28, 2013 Updated: August 10, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2013-5351)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Heap-based buffer overflow in IrfanView before 4.37. A remote attacker can use the LZW code stream in a GIF file. to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Buffer overflow (CVE-ID: CVE-2013-6932)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Buffer overflow in IrfanView before 4.37, when a multibyte-character directory name is used, allows user-assisted remote attackers to execute arbitrary code via a crafted file that is incorrectly handled by the Thumbnail tooltips feature in the Thumbnails window.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- http://osvdb.org/101065
- http://secunia.com/advisories/54959
- http://secunia.com/secunia_research/2013-13/
- http://www.irfanview.com/main_history.htm
- http://www.securityfocus.com/bid/64388
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89808
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89820
- http://jvn.jp/en/jp/JVN63194482/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2013-000120