Bug 449073 (CVE-2008-2426)
| Summary: | CVE-2008-2426 imlib2: buffer overflows in PNM and XPM loaders | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | unspecified | CC: | andreas.bierfert, hdegoede, tsmetana | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2008-09-30 06:47:19 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Tomas Hoger
2008-05-30 09:06:50 UTC
Secunia advisory provides following solution: Fixed in the CVS repository. I fail to see any changes in imlib2 CVS repository: http://enlightenment.org/viewvc/e17/libs/imlib2/src/modules/loaders/ or am I looking into a wrong one? The PNM loader issue seems to be already addressed in the Fedora packages in the following patch: http://cvs.fedoraproject.org/viewcvs/rpms/imlib2/devel/imlib2-1.3.0-loader_overflows.patch?view=markup This was added as a fix for CVE-2006-4809 (PNM) and CVE-2006-480[678] (other loaders modified by the patch). Created attachment 307177 [details]
Patch for XPM loader from upstream CVS
Created attachment 307178 [details]
Patch for PNM loader from upstream CVS
I see that this has been fixed for F-8 - devel, and the fixed packages have been build by Tomas Smetana, Tomas a comment to this extend here would have been nice (as in saved me the time from looking into this). I see that you've also created updates for this in bodhi (good), but didn't mark them as security (bad) nor referenced this bug number (in which case a comment would have been added here, another way to notify others you are handling this and avoiding doublure of effort). I must agree with Hans here. Please make sure to submit security updates as 'security' and refer to the bug filed against 'Security Response' product. I've fixed update requests. Hm... Bodhi suggests to enter CVE numbers instead of bug numbers, so I entered those thinking "that's it"... Sorry for that. I'll keep it in mind for the next time. Bodhi should accept BZ ids or BZ aliases. We set CVE id as an alias for 'Security Response' bugs. However, the code for handling aliases correctly is not yet deployed as far as I know, so you may have got 'Internal server error' when submitting update. Btw, this likely affects imlib2-1.3.0 in EPEL5 and may affect imlib2-1.2.1 in EPEL4 as well. imlib2-1.4.0-7.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. imlib2-1.4.0-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. imlib2-1.3.0-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-4842 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4871 |