PT-2019-5304 · Advancecomp+4 · Advancecomp+4
M4X
·
Published
2019-02-27
·
Updated
2024-09-04
·
CVE-2019-9210
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AdvanceCOMP version 2.1
Description
The issue is caused by an integer overflow in the
png compress function in pngex.cc of the AdvanceCOMP utility. This overflow occurs when encountering an invalid PNG size, leading to an attempted memcpy into a buffer that is too small. Additionally, there is a heap-based buffer over-read. Exploitation of this issue could allow an attacker to execute arbitrary code.Recommendations
For AdvanceCOMP version 2.1, consider disabling the
png compress function in pngex.cc until a patch is available to prevent potential exploitation. Restrict the use of the affected advpng utility to minimize risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Integer Overflow
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Advancecomp
Centos
Red Hat
Ubuntu