Denial of service in ImageWorsener

#VU6930 Denial of service in ImageWorsener

Published: 2017-06-06 | Updated: 2017-06-08

Vulnerability identifier: #VU6930

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-8326

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ImageWorsener
Universal components / Libraries / Libraries used by multiple products

Vendor: Jason Summer

Description
libimageworsener.a in ImageWorsener before 1.3.1 has "left shift cannot be represented in type int" undefined behavior issues, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image, related to imagew-bmp.c and imagew-util.c.

Mitigation
Update to version 1.3.1.

Vulnerable software versions

ImageWorsener: 1.3.0

External links
http://github.com/jsummers/imageworsener/commit/a00183107d4b84bc8a714290e824ca9c68dac738

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in ImageWorsener