lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 Sep 2004 08:30:59 -0700
From: sheep explode <sheep.explode@...il.com>
To: Polazzo Justin <justin.polazzo@...ilities.gatech.edu>
Cc: "Nick D." <ndebaggis@...izon.net>, bugtraq@...urityfocus.com
Subject: Re: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow


According to the information I have from MSFT.  You do not need to
replace all instances of gdiplus.dll on a system and they actually
recommend that you not do this.  some instances of gdipluss.dll are
not affected by this, It will depend on the application and they way
it uses gdiplus.dll.

According to the notes in the article for MS04-028 if you have Windows
XP or Windows 2003 and you have IE6 SP1 installed or Producer for
PowerPoint (all versions) you do not have to apply those two patches,
the app uses the gdiplus.dll that is patched with the OS patch.  This
is not true of any other OS's to my knowledge.  See the notes from the
KB article below

Re: Producer
"Note This update is not required if you are using these programs on
Windows XP. When these programs are installed on Windows XP or Windows
XP Service Pack 1 they use the operating system version of the
vulnerable component. If you are using these programs on Windows XP or
Windows XP Service Pack 1 make sure that you install the operating
system security update. If you are using these programs on Windows
2000 make sure that you install the update for these programs. These
programs are not supported on Windows Server 2003. However, if they
were installed on Windows Server 2003, they would also use the
operating system version of the vulnerable component. If you are using
these programs on Windows Server 2003 make sure that you install the
Windows Server 2003 security update."

Re: IE6 SP1
"Note This update is not required if you are using this program on
Windows XP or Windows Sever 2003. When this program is installed on
Windows XP, Windows XP Service Pack 1, or Windows Server 2003, it uses
the operating system version of the vulnerable component. If you use
this program on Windows XP, Windows XP Service Pack 1, or Windows
Server 2003, make sure that you install the operating system version
of the security update. If you use this program on other operating
systems, make sure that you install the update for this program.
Windows XP Service Pack 2 includes Internet Explorer 6 Service Pack 2
and is not vulnerable to this issue."

So in your instance you will need to apply the patch for IE6 SP1, and
Visio (depending on the version), Windows 2000 with SP3/4 is not
affected by this and does not have a patch.

If you really want to replace all instances of gdipluss.dll or get the
versions of any dll you could write a VBScript that uses WMI to do
that, it may have problems trying to replace the file if the dll is in
use.  Your apps may not work either after this.  If you do that I
would reccomend making a backup of them and then replacing them.

http://www.microsoft.com/technet/scriptcenter/default.mspx

Lastly, there is no all-in-one patch, MSFT said that this would create
a package that was too large for people to download.  I am not sure
why they didn't do this,  I don't think it has anything to do with the
size, but I can only speculate.

Here is a list of affected applications that is a little easier to
read than the KB article:
http://securityresponse.symantec.com/avcenter/security/Content/11173.html

Hope that helps.

-SE

On Wed, 15 Sep 2004 11:23:42 -0400, Polazzo Justin
<justin.polazzo@...ilities.gatech.edu> wrote:
>  I am trying to distribute the patch via patch management software, the
> problem is, Do I replace all incarnations if gdiplus.dll?
> 
> If I have a win2k box running IE6 sp1, I install the IE6 patch. Visio, and it there is a patch for Dreamweaver and AutoCad apply those, they will be from the companies that build them, not MS.
> 
> Fine, I can handle that, but what about my win2k boxes running AutoCAD
> 2004, Visio, IE6 and Dreamweaver? (all have gdiplus.dll, not sure which
> ones need updating, but since the app versions of the dll are 5.1.3097.3
> (.net) and 5.1.3097 (ACAD) and the ms replacement dll's are 5.1.3102 I
> am assuming yes)
> 
> Is the package I should write is <script that looks for the DLL version
> X and above, then replaces it with version Y> Would I use the SDK dll
> for these other apps? Anyone know how to query for a dll version?
> 
> Suggestions responses, and posting this will be greatly appreciated!!
> 
> JP
> 
> Ps: ARRRgh!!
> 
> P.p.s: Am I missing the all in one patch? Is the GDI+ Detection Tool
> available as download? Will the GDI detection tool search through non-ms
> sw?
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ