Certain Crystal products contain a security vulnerability when processing Joint Photographic Experts Group (JPEG) image files.

The vulnerability is due to a Microsoft component (Gdiplus.dll) included with certain versions of Crystal Reports and Crystal Enterprise. Certain versions of this component could allow remote code execution resulting in an attacker gaining complete control of an affected system or computer.

For more information on the vulnerability, refer to Microsoft Security Bulletin MS04-028 on Microsoft's TechNet web site at:

http://www.microsoft.com/technet

Search for "Security Bulletin MS04-028"

Crystal products affected by this vulnerability include:

• Crystal Reports 10
• Crystal Enterprise 10
• Crystal Reports 9
• Crystal Enterprise 9

These products are bundled with a version of the Gdiplus.dll that is vulnerable to remote code execution. Gdiplus.dll is installed by the above Crystal products at these locations:

Version 10:
C:\Program Files\Common Files\Crystal Decisions\2.5\bin

Version 9:
C:\Program Files\Common Files\Crystal Decisions\2.0\bin

The copies at these locations are used only by Crystal Reports and Crystal Enterprise. Note that Security Updates for Microsoft operating systems and products will not update the copies at the above locations.

Critical Updates are available for the above products as listed below. These updates provide an updated Gdiplus.dll and may also provide updates to other Crystal files. A complete list of what files are included in each update is listed below.

Crystal Reports 10 and Crystal Enterprise 10
----------------------------------------------------

For Crystal Reports 10 and Crystal Enterprise 10, the Critical Update for this issue is available at the following location:

ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/v10_gdiplus_critical_update.zip

Run the EXE file included in the ZIP file on all computers with Crystal Reports or Crystal Enterprise installed. The update only needs to be run once on computers with both products.

The update includes the following component versions:

Gdiplus.dll, version 5.1.3102.1360, dated 5/4/2004
ActiveXViewer.cab, dated 10/1/2004
Crviewer.dll, version 10.0.5.822, dated 10/1/2004
Crviewer.dep, dated 9/30/2004
Reportparameterdialog.dll, version 10.0.5.677, dated 10/1/2004
Sviewhlp.dll, version 10.0.5.822, dated 10/1/2004
Swebrs.dll, version 10.0.5.822, dated 10/1/2004

For runtime environments or third party applications using the ActiveX viewer that do not contain a copy of either installed products, download an updated copy of the ActiveXViewer.cab file here:

ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/ActiveXViewer_gdiplus_critical_update.zip

The ActiveXViewer.cab file for version 10 products includes a copy of the vulnerable Gdiplus.dll and requires updating.

Updated merge modules are also available that contain these updated files. Merge Modules can be found at:

http://support.businessobjects.com/mergemodules

Crystal Reports 9 and Crystal Enterprise 9
--------------------------------------------------

For Crystal Reports 9 and Crystal Enterprise 9, the Critical Update for this issue is available at the following location:

ftp://ftp1.businessobjects.com/outgoing/ehf/CriticalUpdate/v9_gdiplus_critical_update.zip

Run the EXE file included in the ZIP file on all computers with Crystal Reports or Crystal Enterprise installed. The update only needs to be run once on computers with both products.

The update includes the following components:

Gdiplus.dll, version 5.1.3102.1360, dated 5/4/2004

Updated merge modules are also available that contain an updated Gdiplus.dll. Merge Modules can be found at:

http://support.businessobjects.com/mergemodules

Article ID:
c2016358

Created:
2004/10/05

Published:
2004/10/06

Status:	Verified
Product:	Crystal Reports Advanced
Reported Version:	10.0.0.0 Crystal Reports Advanced Edition
Applies to:	Reported version only
Bit Version:	32 Bit

Buffer overrun vulnerability when processing JPEG images in Crystal products