package: dillo version: 0.8.5-4 severity: serious tags: security hello,
it has been found that dillo is vulnerable to an integer overflow. the text of the problem is: |Dillo, an open source graphical web browser, suffers from an integer |overflow which may lead to a potentially exploitable heap overflow and |result in arbitrary code execution. | |The vulnerability is triggered by HTML pages with embedded PNG images, |the Png_datainfo_callback function does not properly validate the width |and height of the image. Specific PNG images with large width and |height can be crafted to trigger the vulnerability. this is fixed in upstream version 2.2.1. please coordinate with the security team to prepare updates for the etch/lenny. this is CVE-2009-2294 [0]. please make sure to include this number in your changelog if you fix the issue. [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2294 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
