Bug 584885 (CVE-2010-0991)

Summary: CVE-2010-0991 imlib2: multiple heap-based buffer overflows
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andreas.bierfert, tsmetana
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-27 22:43:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2010-04-22 16:13:11 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0991 to
the following vulnerability:

Name: CVE-2010-0991
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0991
Assigned: 20100318
Reference: BUGTRAQ:20100421 Secunia Research: imlib2
"IMAGE_DIMENSIONS_OK()" Logic Error
Reference:
URL: http://www.securityfocus.com/archive/1/archive/1/510866/100/0/threaded
Reference: MISC: http://secunia.com/secunia_research/2010-54/
Reference: SECUNIA:39354
Reference: URL: http://secunia.com/advisories/39354
Reference: VUPEN:ADV-2010-0959
Reference: URL: http://www.vupen.com/english/advisories/2010/0959

Multiple heap-based buffer overflows in imlib2 1.4.3 allow
context-dependent attackers to execute arbitrary code via a crafted
(1) ARGB, (2) XPM, or (3) BMP file, related to the IMAGE_DIMENSIONS_OK
macro in lib/image.h.


NOTE: We currently ship imlib 1.4.2 in Fedora (to rawhide) and the advisory noted in the SecurityFocus archives indicates that _only_ 1.4.3 is affected, not previous versions (verified by checking our imlib2 source; there is no IMAGE_DIMENSIONS_OK() macro).  However, 1.4.3 is the current version available for download, so this is to ensure that if imlib2 does get updated to 1.4.3, it includes a fix, or we skip it and wait for 1.4.4 to be released.  The advisory also indicates this is fixed in upstream svn:

Index: image.h
===================================================================
--- image.h     (revision 43242)
+++ image.h     (revision 47825)
@@ -190,6 +190,6 @@
 
 # define IMAGE_DIMENSIONS_OK(w, h) \
    ( ((w) > 0) && ((h) > 0) && \
-     ((unsigned long long)(w) * (unsigned long long)(w) <= (1ULL << 29) - 1) )
+     ((unsigned long long)(w) * (unsigned long long)(h) <= (1ULL << 29) - 1) )
 
 #endif
Comment 1 Vincent Danen 2010-04-27 22:43:06 UTC 
I see new 1.4.3 builds in koji that include the patch.  Thank you for including the patch!

http://koji.fedoraproject.org/koji/buildinfo?buildID=168404
http://koji.fedoraproject.org/koji/buildinfo?buildID=168405

So the 1.4.3 builds in Fedora 13 and rawhide contain the patch to correct this flaw.