====================================================================== Secunia Research (now part of Flexera Software) 11/11/2015 Google Picasa CAMF Section Integer Overflow Vulnerability ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software * Google Picasa version 3.9.140 Build 239 * Google Picasa version 3.9.140 Build 248 NOTE: Prior versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System Access Where: From remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Google Picasa, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an integer overflow error when processing CAMF section in FOVb images and can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in versions 3.9.140 Build 239 and 3.9.140 Build 248 running on Windows. ====================================================================== 4) Solution Update to version 3.9.140 Build 259. ====================================================================== 5) Time Table 04/08/2015 - Vendor notified of vulnerability. 04/08/2015 - Vendor acknowledges report. 10/08/2015 - Vendor requests PoC. 10/08/2015 - Provision of PoC. 19/08/2015 - Vendor acknowledges receipt. 08/09/2015 - Request of status update. 11/09/2015 - Vendor states fixed in code. ETA not yet available. 19/09/2015 - Vendor states update has been pushed. 25/09/2015 - Vendor notified of incomplete fix of other vulnerability and request status update for this vulnerability. 26/09/2015 - Vendor acknowledges receipt. 05/10/2015 - Request ETA of fix of other vulnerability. Vendor notified that due to public availability of improper fix of other vulnerability, an advisory release deadline on 09/10/2015 is established for the other vulnerability. 06/10/2015 - Vendor acknowledges and estimates 30/10/2015 release of fix. 06/10/2015 - Vendor notified that advisory deadline will still be applicable. 06/10/2015 - Vendor acknowledges and states to send notification once properly fixed. 09/10/2015 - Public disclosure of advisory with SAID SA59000. 12/10/2015 - Public disclosure of research advisory 2015-3. 29/10/2015 - Vendor states fixed status and fix had been verified. 30/10/2015 - Request version number of fix as change log updates and release notes updates are missing. 05/11/2015 - Vendor states fixed version. 11/11/2015 - Release of update of advisory with SAID SA59000 after verification of patched version. 11/11/2015 - Public disclosure of research advisory 2015-5. ====================================================================== 6) Credits Discovered by Hossein Lotfi, Secunia Research (now part of Flexera Software). ====================================================================== 7) References Currently no CVE identifier is assigned. ====================================================================== 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2015-05/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================