CVE-2008-0553

Name of the Vulnerable Software and Affected Versions Tk versions prior to 8.5.1 tcl-devel versions 8.3.5 and earlier tclx versions 8.3 and earlier tk8.3 versions prior to 8.5.1 tk8.3-dev versions prior to 8.5.1 tcllib versions 1.0 and earlier tcltk versions 8.3.3 and earlier, 8.3.5 and earlier tk8.3-doc versions prior to 8.5.1 tcl versions 8.3.3 and earlier, 8.3.5 and earlier

Description The issue involves multiple vulnerabilities in the Tk package, which can lead to disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. A specific vulnerability is a stack-based buffer overflow in the ReadImage function in tkImgGIF.c in Tk (Tcl/Tk) before 8.5.1, allowing remote attackers to execute arbitrary code via a crafted GIF image.

Recommendations For Tk versions prior to 8.5.1, update to version 8.5.1 or later. For tcl-devel versions 8.3.5 and earlier, update to a version later than 8.3.5. For tclx versions 8.3 and earlier, update to a version later than 8.3. For tk8.3 versions prior to 8.5.1, update to version 8.5.1 or later. For tk8.3-dev versions prior to 8.5.1, update to version 8.5.1 or later. For tcllib versions 1.0 and earlier, update to a version later than 1.0. For tcltk versions 8.3.3 and earlier, 8.3.5 and earlier, update to a version later than 8.3.5. For tk8.3-doc versions prior to 8.5.1, update to version 8.5.1 or later. For tcl versions 8.3.3 and earlier, 8.3.5 and earlier, update to a version later than 8.3.5. As a temporary workaround, consider disabling the ReadImage function in tkImgGIF.c until a patch is available. Restrict access to the vulnerable tkImgGIF.c module to minimize the risk of exploitation. Avoid using crafted GIF images in the affected API endpoint until the issue is resolved.