Integer Overflow Vulnerability in GNOME Project's G Structured File Library (libgsf)
CVE-2024-36474

7.8HIGH

Key Information:

Vendor: Gnome Project
Status: G Structured File Library (libgsf)
Vendor: CVE Published:; 3 October 2024

Summary

An integer overflow vulnerability exists in the Compound Document Binary File format parser of the GNOME Project G Structured File Library (libgsf) version v1.14.52. This vulnerability is triggered by processing specially crafted files, which can lead to an out-of-bounds index being used when accessing arrays. This scenario creates a pathway for potential arbitrary code execution. Attackers can exploit this flaw by providing crafted files, causing unintended consequences within the affected software.

Affected Version(s)

G Structured File Library (libgsf) 1.14.52

References

https://talosintelligence.com/vulnerability_reports/TALOS...

https://gitlab.gnome.org/GNOME/libgsf/-/issues/34

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 3, 2024
Vulnerability Reserved
Aug 23, 2024

Credit

Discovered by a member of Cisco Talos.