#2009-008 Dillo integer overflow
Dillo, an open source graphical web browser, suffers from an integer overflow
which may lead to a potentially exploitable heap overflow and result in
arbitrary code execution.
The vulnerability is triggered by HTML pages with embedded PNG images, the
Png_datainfo_callback function does not properly validate the width and
height of the image. Specific PNG images with large width and height can be
crafted to trigger the vulnerability.
Dillo <= 2.1
Dillo >= 2.1.1
Credit: vulnerability report and PoC code received from Tielei Wang
<wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.
2009-05-21: vulnerability reported received
2009-06-18: contacted dillo maintainer
2009-06-18: maintainer requests PoC
2009-06-19: PoC is supplied
2009-06-19: maintainer provides patch
2009-06-24: revised patch is provided after reporter feedback
2009-06-25: patch is confirmed, maintainer requests one week of time to
investigate further areas of the browser
2009-07-01: dillo developer proposes security release coordination
2009-07-03: advisory release
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"