[Japanese]

JVNDB-2024-006787

xfpt vulnerable to stack-based buffer overflow

Overview

xfpt fails to handle appropriately some parameters inside the input data, resulting in a stack-based buffer overflow vulnerability (CWE-121).

Yuhei Kawakoya of NTT Security Holdings Corporation reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.0 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
[Comment]
AC(Attack Complexity) is evaluated as High considering that exploit protection mechanisms such as ASLR and stack canaries become popular in major OS environments.
Affected Products


Philip Hazel
  • xfpt versions prior to 1.01

Impact

When a user of the affected product is tricked to process a specially crafted file, arbitrary code may be executed on the user's environment.
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has commited the fix in xfpt repository, which will be incorporated to the next version 1.01.
Vendor Information

Philip Hazel
CWE (What is CWE?)

  1. Stack-based Buffer Overflow(CWE-121) [Other]
CVE (What is CVE?)

  1. CVE-2024-43700
References

  1. JVN : JVNVU#96498690
Revision History

  • [2024/08/29]
      Web page was published