In association with heise online

31 January 2008, 11:48

XnView vulnerable to a buffer overflow attack

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service provider Secunia has on Wednesday reported that a buffer overflow can occur in the popular XnView image viewer and converter when handling manipulated high dynamic range images in the Radiance RGBE (.hdr) format. When opened, specially crafted .hdr files can inject and execute a trojan via this bug. An update for the Windows version is available, but versions for other operating systems have yet to be patched.

The vulnerability is due to a flawed length check in versions 1.91 and 1.92 of XnView. The developer believes that previous versions also contain the flawed code. Versions for Windows, Mac OS X, Linux, BSD, Irix, Solaris, HP-UX and AIX are all probably affected. The vulnerability is also present in NConvert 4.85 and the GFL SDK 2.870 software development kit.

The developer has made the current versions 1.9 2.1 of XnView and 4.86 of NConvert for Windows available for downloading. There is no update yet for GFL-SDK or for Mac and UNIX versions. Users are advised to install the fixed version as soon as possible. Users of platforms for which no update is yet available should not open any .hdr files from unknown or suspect sources with the software.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit