----------------------------------------------------------------------

A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI
has been released. The new version includes many new and advanced
features, which makes it even easier to stay patched.

Download and test it today:
https://psi.secunia.com/

Read more about this new version:
https://psi.secunia.com/?page=changelog

----------------------------------------------------------------------

TITLE:
Autonomy Keyview SDK Multiple Buffer Overflows

SECUNIA ADVISORY ID:
SA28209

VERIFY ADVISORY:
http://secunia.com/advisories/28209/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
>From remote

SOFTWARE:
Verity KeyView Viewer SDK 7.x
http://secunia.com/product/5570/
Verity KeyView Filter SDK 7.x
http://secunia.com/product/7990/
Verity KeyView Export SDK 7.x
http://secunia.com/product/7989/
Autonomy KeyView Export SDK 10.x
http://secunia.com/product/16574/
Autonomy KeyView Filter SDK 10.x
http://secunia.com/product/16576/
Autonomy KeyView Viewing SDK 10.x
http://secunia.com/product/16575/
Verity KeyView Export SDK 8.x
http://secunia.com/product/7997/
Verity KeyView Export SDK 9.x
http://secunia.com/product/7998/
Verity KeyView Filter SDK 8.x
http://secunia.com/product/7995/
Verity KeyView Filter SDK 9.x
http://secunia.com/product/7996/
Verity KeyView Viewer SDK 8.x
http://secunia.com/product/7992/
Verity KeyView Viewer SDK 9.x
http://secunia.com/product/7994/

DESCRIPTION:
Secunia Research has discovered multiple vulnerabilities in Autonomy
Keyview, which can be exploited by malicious people to compromise a
vulnerable system.

1) A boundary error within the HTML speed reader (htmsr.dll) when
handling links in e.g. the "background" attribute of <BODY> tags can
be exploited to cause a stack-based buffer overflow.

2) A boundary error within the HTML speed reader (htmsr.dll) when
handling e.g. the "src" attribute of <IMG> tags can be exploited to
cause a stack-based buffer overflow.

3) A boundary error within the HTML speed reader (htmsr.dll) when
handling large chunks of data inside an HTML document can be
exploited to cause a heap-based buffer overflow.

4) A boundary error within kvdocve.dll when processing overly long
paths can be exploited to cause a buffer overflow via e.g. an overly
long link inside the "src" attribute of an <IMG> tag within an HTML
document.

5) 21 boundary errors within the "Folio Flat File" speed reader
(foliosr.dll) when handling attribute values of a number of tags (eg.
DI, FD, FT, JD, JL, LE, OB, OD, OL, PN, PS, PW, RD, QL, or TS) can be
exploited to cause stack-based buffer overflows.

6) An unsafe call to "sscanf()" in the Applix Graphics reader
(kpagrdr.dll) when parsing the "ENCODING" attribute of the "*BEGIN"
tag can be exploited to cause a stack-based buffer overflow.

7) A boundary error in the Applix Graphics reader (kpagrdr.dll) when
parsing overly long tokens from the input file can be exploited to
cause a heap-based buffer overflow.
 
8) A boundary error in the Applix Graphics reader (kpagrdr.dll) when
parsing the initial "*BEGIN" tag can be exploited to cause
stack-based buffer overflow.

9) A logic error in the Applix Graphics reader (kpagrdr.dll) when
parsing long tokens can result in an infinite loop. Exploitation will
result in maximum CPU usage until an application-configured timeout
expires. In some cases memory usage will increase until the OS
terminates the process.

10) A boundary error in the EML reader (emlsr.dll) when parsing
certain headers ("To:", "Cc:", "Bcc:", "From:", "Date:", "Subject:",
"Priority:", "Importance:", and "X-MSMail-Priority:") in EML files
can be exploited to cause a heap-based buffer overflow via an overly
long string.

11) A boundary error in the EML reader (emlsr.dll) when encountering
the beginning of RFC2047 encoded-words in headers can be exploited to
cause a heap-based buffer overflow via an overly long string.

12) A boundary error in the EML reader (emlsr.dll) when parsing the
text string in RFC2047 encoded-words in headers can be exploited to
cause a heap-based buffer overflow via an overly long string.

13) A boundary error in the EML reader (emlsr.dll) when creating a
filename based on the subject in an EML file can be exploited to
cause a heap-based buffer overflow via an overly long string.

SOLUTION:
Update to version 10.4.0.0 or later.

PROVIDED AND/OR DISCOVERED BY:
1-4) Secunia Research
5-9) Dyon Balding, Secunia Research.
10-13) Carsten Eiram, Secunia Research.

ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2007-91/
http://secunia.com/secunia_research/2007-95/
http://secunia.com/secunia_research/2007-104/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------