ID CVE-2006-5864
Summary Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the (1) DocumentMedia, (2) DocumentPaperSizes, and possibly (3) PageMedia and (4) PaperSize headers. NOTE: this issue can be exploited through other products that use gv such as evince.
References
Vulnerable Configurations
  • GNU gv 3.5.8
    cpe:2.3:a:gnu:gv:3.5.8
  • GNU gv 3.6
    cpe:2.3:a:gnu:gv:3.6.0
  • GNU gv 3.6.1
    cpe:2.3:a:gnu:gv:3.6.1
  • GNU gv 3.6.2
    cpe:2.3:a:gnu:gv:3.6.2
CVSS
Base: 5.1 (as of 13-11-2006 - 12:17)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Evince Document Viewer (DocumentMedia) Buffer Overflow Exploit. CVE-2006-5864. Remote exploit for linux platform
file exploits/linux/remote/2858.c
id EDB-ID:2858
last seen 2016-01-31
modified 2006-11-28
platform linux
port
published 2006-11-28
reporter K-sPecial
source https://www.exploit-db.com/download/2858/
title Evince Document Viewer DocumentMedia Buffer Overflow Exploit
type remote
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1243.NASL
    description Renaud Lifchitz discovered that gv, the PostScript and PDF viewer for X, performs insufficient boundary checks in the Postscript parsing code, which allows the execution of arbitrary code through a buffer overflow. Evince embeds a copy of gv and needs an update as well.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 23948
    published 2006-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23948
    title Debian DSA-1243-1 : evince - buffer overflow
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200703-24.NASL
    description The remote host is affected by the vulnerability described in GLSA-200703-24 (mgv: Stack overflow in included gv code) mgv includes code from gv that does not properly boundary check user-supplied data before copying it into process buffers. Impact : An attacker could entice a user to open a specially crafted Postscript document with mgv and possibly execute arbitrary code with the rights of the user running mgv. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 24929
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24929
    title GLSA-200703-24 : mgv: Stack overflow in included gv code
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200704-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-200704-06 (Evince: Stack overflow in included gv code) Evince includes code from GNU gv that does not properly boundary check user-supplied data before copying it into process buffers. Impact : An attacker could entice a user to open a specially crafted PostScript document with Evince and possibly execute arbitrary code with the rights of the user running Evince. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 25019
    published 2007-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25019
    title GLSA-200704-06 : Evince: Stack overflow in included gv code
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-390-2.NASL
    description USN-390-1 fixed a vulnerability in evince. The original fix did not fully solve the problem, allowing for a denial of service in certain situations. A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with the user's privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 27974
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27974
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : evince vulnerability (USN-390-2)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_779A2D558BA811DB81D500123FFE8333.NASL
    description Secunia reports : A vulnerability has been discovered in Evince, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the 'get_next_text()' function in ps/ps.c. This can be exploited to cause a buffer overflow by e.g. tricking a user into opening a specially crafted PostScript file.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 23872
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23872
    title FreeBSD : evince -- Buffer Overflow Vulnerability (779a2d55-8ba8-11db-81d5-00123ffe8333)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-214.NASL
    description Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the DocumentMedia header. Packages have been patched to correct this issue. Update : The patch used in the previous update still left the possibility of causing X to consume unusual amounts of memory if gv is used to view a carefully crafted image designed to exploit CVE-2006-5864. This update uses an improved patch to address this issue.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 24599
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24599
    title Mandrake Linux Security Advisory : gv (MDKSA-2006:214-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-390-1.NASL
    description A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with the user's privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 27973
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27973
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : evince vulnerability (USN-390-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-229.NASL
    description Stack-based buffer overflow in ps.c for evince allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the DocumentMedia header. Packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 24612
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24612
    title Mandrake Linux Security Advisory : evince (MDKSA-2006:229)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1214.NASL
    description The original update provided in DSA 1214-1 was insufficient; this update corrects this. For reference please find the original advisory text below : Renaud Lifchitz discovered that gv, the PostScript and PDF viewer for X, performs insufficient boundary checks in the Postscript parsing code, which allows the execution of arbitrary code through a buffer overflow.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 23700
    published 2006-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23700
    title Debian DSA-1214-2 : gv - buffer overflow
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GV-2266.NASL
    description A stackoverflow in the postscript viewer gv could be used to exploited to execute code, if the user could be tricked into viewing a prepared postscript file. (CVE-2006-5864)
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27255
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27255
    title openSUSE 10 Security Update : gv (gv-2266)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GV-2267.NASL
    description A stackoverflow in the postscript viewer gv could be used to exploited to execute code, if the user could be tricked into viewing a prepared postscript file. (CVE-2006-5864)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29454
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29454
    title SuSE 10 Security Update : gv (ZYPP Patch Number 2267)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_EVINCE-2362.NASL
    description Specially crafted Postscript files could be used to execute arbitrary code by causing a buffer overflow in evince (CVE-2006-5864).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27209
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27209
    title openSUSE 10 Security Update : evince (evince-2362)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200611-20.NASL
    description The remote host is affected by the vulnerability described in GLSA-200611-20 (GNU gv: Stack overflow) GNU gv does not properly boundary check user-supplied data before copying it into process buffers. Impact : An attacker could entice a user to open a specially crafted document with GNU gv and execute arbitrary code with the rights of the user on the system. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 23728
    published 2006-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23728
    title GLSA-200611-20 : GNU gv: Stack overflow
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-390-3.NASL
    description USN-390-2 fixed vulnerabilities in evince. This update provides the corresponding update for evince-gtk. A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with the user's privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 27975
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27975
    title Ubuntu 6.06 LTS / 6.10 : evince-gtk vulnerability (USN-390-3)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_EVINCE-2358.NASL
    description Specially crafted Postscript files could be used to execute arbitrary code by causing a buffer overflow in evince. (CVE-2006-5864)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29422
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29422
    title SuSE 10 Security Update : evince (ZYPP Patch Number 2358)
refmap via4
bid 20978
bugtraq
  • 20061109 GNU gv Stack Overflow Vulnerability
  • 20061112 Re: GNU gv Stack Overflow Vulnerability
  • 20061128 evince buffer overflow exploit (gv)
cert-vn VU#352825
confirm https://issues.rpath.com/browse/RPL-850
debian
  • DSA-1214
  • DSA-1243
exploit-db 2858
gentoo
  • GLSA-200611-20
  • GLSA-200703-24
  • GLSA-200704-06
mandriva
  • MDKSA-2006:214
  • MDKSA-2006:229
secunia
  • 22787
  • 22932
  • 23006
  • 23018
  • 23111
  • 23118
  • 23183
  • 23266
  • 23306
  • 23335
  • 23353
  • 23409
  • 23579
  • 24649
  • 24787
suse
  • SUSE-SR:2006:026
  • SUSE-SR:2006:028
  • SUSE-SR:2006:029
ubuntu
  • USN-390-1
  • USN-390-2
  • USN-390-3
vupen
  • ADV-2006-4424
  • ADV-2006-4747
xf
  • evince-postscript-bo(30555)
  • gnu-gv-buffer-overflow(30153)
statements via4
contributor Mark J Cox
lastmodified 2007-09-07
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 2.1. This issue did not affect Red Hat Enterprise Linux 3 or 4. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215593 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode.
Last major update 07-03-2011 - 00:00
Published 10-11-2006 - 20:07
Last modified 17-10-2018 - 17:45
Back to Top