#VU31157 Buffer overflow in AdvanceCOMP - CVE-2019-8383

Cybersecurity Help s.r.o.

Published: 2019-02-17 | Updated: 2020-07-17

Vulnerability identifier: #VU31157

Vulnerability risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-8383

CWE-ID: CWE-119

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
AdvanceCOMP
Universal components / Libraries / Libraries used by multiple products

Vendor: Andrea Mazzoleni

Description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

An issue was discovered in AdvanceCOMP through 2.1. An invalid memory address occurs in the function adv_png_unfilter_8 in lib/png.c. It can be triggered by sending a crafted file to a binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.

Mitigation
Install update from vendor's website.

Vulnerable software versions

AdvanceCOMP: 2.0

External links
https://access.redhat.com/errata/RHSA-2019:2332
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J23C6QSTJMQ467KAI6QG54AE4MZRLPQV/
https://research.loginsoft.com/bugs/invalid-memory-access-in-adv_png_unfilter_8-advancecomp/
https://sourceforge.net/p/advancemame/bugs/272/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for advancecomp

Red Hat Enterprise Linux 7 update for advancecomp

Fedora 30 update for advancecomp

Multiple vulnerabilities in AdvanceCOMP