Red Hat Bugzilla – Bug 134631
CAN-2004-0687 libxpm flaws affect OpenMotif (CAN-2004-0688, CAN-2004-0914)
Last modified: 2008-01-28 11:07:14 EST
During a source code audit, Chris Evans discovered several stack
overflow flaws and an integer overflow flaw in the libXpm library used
to decode XPM (X PixMap) images. A vulnerable version of this library
was found within OpenMotif. An attacker could create a carefully crafted
XPM file which would cause an application to crash or potentially
execute arbitrary code if opened by a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CAN-2004-0687 and CAN-2004-0688 to these issues.
Thomas Woerner discovered that OpenMotif had embedded an old libxpm
library that is vulnerable to these issues.
CAN-2004-0687/8 Affects: 2.1AS 2.1ES 2.1WS 2.1AW
CAN-2004-0687/8 Affects: 3AS 3WS 3ES 3Desktop
CAN-2004-0687/8 Affects: FC2
Updated packages are in creation that correct these issues - for
future distributions openmotif will be modified to use the system libxpm.
In addition, extra issues were discovered and assigned CAN-2004-0914
which became public on Nov17.