[Japanese]

JVNDB-2015-000066

BGA32.DLL and QBga32.DLL contain multiple vulnerabilities

Overview

BGA32.DLL is a compression/decompression library for gza and bza-format files. BGA32.DLL contains multiple vulnerabilities (including a buffer overflow) because it utilizes vulnerable zlib and bzip2 libraries.
QBga32.DLL, which is a wrapper of BGA32.DLL, is also affected.

KONDOU, Kazuhiro reported this vulnerability to IPA.
JPCERT/CC coordinated with the developers under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


Kazuhiro Inaba
  • QBga32.DLL version 0.04 and earlier
Toshinobu Kimura
  • BGA32.DLL

Impact

Decompressing a specially crafted file may result in denial-of-service (DoS) or arbitrary code execution.
Solution

[Use the latest version of QBga32.DLL]
These vulnerabilities have been addressed in QBga32.DLL version 0.05.

[Do not use BGA32.DLL]
BGA32.DLL is no longer being developed or maintained. It is recommended to stop using BGA32.DLL.
Vendor Information

Kazuhiro Inaba Toshinobu Kimura
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2003-0107
  2. CVE-2005-0953
  3. CVE-2005-1260
  4. CVE-2005-1849
  5. CVE-2005-2096
References

  1. JVN : JVN#78689801
  2. National Vulnerability Database (NVD) : CVE-2003-0107
  3. National Vulnerability Database (NVD) : CVE-2005-0953
  4. National Vulnerability Database (NVD) : CVE-2005-1260
  5. National Vulnerability Database (NVD) : CVE-2005-1849
  6. National Vulnerability Database (NVD) : CVE-2005-2096
Revision History

[2015/05/19]
  Web page was published
[2015/05/22]
  CVE : CVE-IDs were added
  References : Contents were added