Pavel Kankovsky of the fedora legacy project has reported multiple issues in imlib. This patch fixes a number of issue, the bulk of them being integer overflows. See bug 138516 for more information. I believe this issue also affects FC2 as well.
Built a package for these
Updates released for RH http://www.linuxcompatible.org/RHSA-2004651-01_Updated_imlib_packages_fix_security_vulnerabilities_s38502.html No updates for FC3: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/ FC4 includes fix. As this is quite old, leaving to Jonathan decision if there will be any updates or just mark WONTFIX for fc3.
I mean Matthias, who is the bug owner.
The test pixmap from Bug #138516 crashes qiv (an imlib-based image viewer) on FC4 so it appears that Comment #2 is wrong about FC4 including a fix. Whilst FC4 is no longer maintained, I believe FC5 is still vulnerable (I don't have an FC5 box to test this). For FC6 onwards, imlib moved to Extras, where this issue is recorded in Bug #235416.
Fix is included in current Fedora imlib packages: * Tue Apr 10 2007 Paul Howarth <paul> 1:1.9.15-2 - add patch for CVE-2004-1025, CVE-2004-1026 (integer/buffer overflows) (#235416) Fedora Core 5 is no longer maintained. Closing this bug.