navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
About the Team
Disclosure Policy
SVCRP

Secunia Research: Google Picasa Four RAW Image Parsing Code Execution Vulnerabilities

======================================================================
 
                    Secunia Research 20/12/2013

 Google Picasa Four RAW Image Parsing Code Execution Vulnerabilities

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

* Google Picasa 3.9.0 Build 136.20

NOTE: Prior versions may also be affected.

======================================================================
2) Severity 

Rating: Highly critical
Impact: System Access
Where:  From remote
 
====================================================================== 
3) Description of Vulnerabilities

Secunia Research has discovered multiple vulnerabilities in Google
Picasa, which can be exploited by malicious people to compromise a
user's system.

1) An integer underflow error within the Picasa3.exe module when
parsing JPEG tags can be exploited to cause a heap-based buffer
overflow via e.g. a Canon RAW CR2 file containing a JPEG tag with the
value greater than 0xFF00 and the size smaller than 2.

2) An integer overflow error within the Picasa3.exe module when
parsing TIFF tags can be exploited to cause a heap-based buffer
overflow via e.g. a Canon RAW CR2 file containing a TIFF
StripByteCounts tag with an overly large value.

3) A boundary error within the Picasa3.exe module when parsing TIFF
tags can be exploited to cause a memory corruption via e.g. a
specially crafted KDC file with model set to "DSLR-A100" and
containing multiple sequences of 0x100 and 0x14A TAGs.

4) An error within the Picasa3.exe module when parsing RAW files can
be exploited to cause a stack-based buffer overflow via e.g. a
specially crafted KDC file with size exactly equal to 71 bytes.

Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.

======================================================================
4) Solution 

Update to version 3.9.0 Build 137.69.

======================================================================
5) Time Table 

07/11/2013 - Vendor notified of first vulnerability.
08/11/2013 - Vendor acknowledges report.
14/11/2013 - Vendor notified of second vulnerability.
15/11/2013 - Vendor acknowledges report.
20/11/2013 - Vendor states fixed release planned for
             15th December 2013
20/11/2013 - Replied to the vendor concerning timeline.
25/11/2013 - Vendor notified of third vulnerability.
26/11/2013 - Vendor acknowledges report.
05/12/2013 - Vendor notified of fourth vulnerability.
06/12/2013 - Vendor acknowledges report.
11/12/2013 - Vendor requests CVE assignment from Secunia.
13/12/2013 - Vendor notified concerning assigned CVEs.
12/12/2013 - Vendor released fixed version.
20/12/2013 - Public disclosure.

======================================================================
6) Credits 

Discovered by Hossein Lotfi, Secunia Research.

======================================================================
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
the CVE-2013-5349 identifier for the first vulnerability, the
CVE-2013-5357 identifier for the second vulnerability, the
CVE-2013-5358 identifier for the third vulnerability, and the
CVE-2013-5359 identifier for the fourth vulnerability.
 
======================================================================
8) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

======================================================================
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2013-14/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+