Bug 152776 - CAN-2004-0817,1025,1026 imlib heap overflow in BMP decoder
CAN-2004-0817,1025,1026 imlib heap overflow in BMP decoder
Status: CLOSED CANTFIX
Product: Fedora Legacy
Classification: Retired
Component: imlib (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://bugzilla.gnome.org/show_bug.cg...
1, LEGACY, NEEDSWORK, QA, rh73, rh90,...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-08 12:06 EDT by Marc Deslauriers
Modified: 2009-09-21 16:01 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-08 16:27:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:27:03 EST
A heap overflow issue has been discovered in the imlib BMP decoder. 
This issue deals with overflowing the color palette.

It may be possible for this overflow to allow an attacker to execute
malicious code.

http://securitytracker.com/alerts/2004/Aug/1011104.html
http://bugzilla.gnome.org/show_bug.cgi?id=151034
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130909
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130908



------- Additional Comments From dom@earth.li 2004-09-09 12:51:57 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packages for QA at http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/
Patch https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=103392&action=view
applied in both cases.

Redhat 7.3:

e55dce93a6501bf31281a74a54b0bfbc1b5196b4  imlib-1.9.13-3.8.x.legacy.src.rpm

Redhat 9:

dba5425a4f2ab09d16e5d6bf4444276eee3d00e2  imlib-1.9.13-13.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQN58YzuFKFF44qURAtinAJ9SbCoLjKwyT1m3b1YDKXyGtP1wPwCg9y3y
kSRpg1VfYxBLG4iQPsVlbNU=
=kN42
-----END PGP SIGNATURE-----




------- Additional Comments From michal@harddata.com 2004-09-09 14:10:58 ----

> 7.3 .... imlib-1.9.13-3.8.x.legacy.src.rpm

Numbering is somewhat unfortunate.  The original had 1.9.13-3.7.x version,
which means that packages were compiled for 7.x RH distros.  Therefore the
patched one should be 1.9.13-4.7.x.legacy, I would think.

I do not see binary packages (but the same patch indded trivially applies
to everything from 7.1 up to FC2 :-).




------- Additional Comments From mule@umich.edu 2004-09-10 09:27:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
dba5425a4f2ab09d16e5d6bf4444276eee3d00e2  imlib-1.9.13-13.legacy.src.rpm
   
For Red Hat 9:
* checking spec file
 
Patch6: imlib-1.9.14-sec.patch
 
um, am I missing something here or is this patch not getting applied in the
spec file instructions...
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBQf/VTsaUa9pp4VIRAk0vAJ9MiBWUjuqVbZmRnTnEm3sIImU2JQCfcmeh
OuwAVAS41I5sF7jbS26xtO8=
=4k89
-----END PGP SIGNATURE-----




------- Additional Comments From mule@umich.edu 2004-09-10 16:26:49 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
To clarify my comment in comment #3:
 
Comparing the last Red Hat spec file from source vs. from above:
  
#diff imlib.spec imlib.spec.rh90
7c7
< Release: 13.legacy
- - ---
> Release: 12
34d33
< Patch6: imlib-1.9.14-sec.patch
149,151d147
< * Thu Sep  9 2004 Dominic Hargreaves <dom@earth.li>
< - Fix for heap overflow in BMP decoder (CAN-2004-0817)
<
  
Shouldn't there be a directive:
  
%patch6 -p1 -b .sec
  
or something?
  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBQmH0TsaUa9pp4VIRAkG2AKDLML3fcvO1C0Yx2tOzLq2n6wJijQCgo2/e
J3IpxGtIQZryqZ7eP1IZojo=
=g9yp
-----END PGP SIGNATURE-----



------- Additional Comments From dom@earth.li 2004-09-11 13:10:38 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry about that. Two new packages to fix the versioning and application of
the patch, respectively:

http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/

Redhat 7.3:
a3686c6bc893f90e1d06be919edc57e330efc091  imlib-1.9.13-4.7.x.legacy.src.rpm

Redhat 9:
d3dbec2708fb878f42e4158e9d5d0a4f132ebabf  imlib-1.9.13-14.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQ4WeYzuFKFF44qURApWAAKDhrNDtqsZJwU+6fRDxGdTN8wfiNACfRogL
BvUkFjTJ9hI5VDdJWxQS1VQ=
=2Jek
-----END PGP SIGNATURE-----




------- Additional Comments From mule@umich.edu 2004-09-11 16:14:34 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
d3dbec2708fb878f42e4158e9d5d0a4f132ebabf  imlib-1.9.13-14.legacy.src.rpm
  
For Red Hat 9:
* Checked Patch imlib-1.9.14-sec.patch - OK
* Inspected Spec file - OK
* Build from Source - OK
* Install - OK
 
PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBQ7DgTsaUa9pp4VIRAnUCAKDC6uATEvFiY5SbtzpYxj+csu6FIwCfbbQS
vF8jWTe3GEceLvGWrXXeD4I=
=gVoO
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-12 15:01:17 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the 7.3 package:

a3686c6bc893f90e1d06be919edc57e330efc091  imlib-1.9.13-4.7.x.legacy.src.rpm

- - Source matches previous release
- - Patch looks good
- - Spec file looks good
- - Builds and installs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRPFyLMAs/0C4zNoRAuVLAKChgEwoTjH2PyxjZfBa6/RoOF9axwCfc3TX
CLpV4rTAea7cNGTbTHFKM2c=
=YJJk
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-12 15:02:33 ----

Just a quick note on the rh9 build:

FC1 already has a package called imlib-1.9.13-14. Upgrades from rh9 to FC1 won't
work. I suggest calling it imlib-1.9.13-13.1.legacy.src.rpm.




------- Additional Comments From dom@earth.li 2004-09-12 15:07:52 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gah! Third time lucky...

http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/

829f02ed06fae36a91300efbf378f9af4051d93b  imlib-1.9.13-13.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRPLJYzuFKFF44qURAo7QAJ9zbY5lykg0cjXpVscBnw0sowtv/QCgvIUz
AvvQp+mFccC+tPuapckXEvA=
=MsU9
-----END PGP SIGNATURE-----



------- Additional Comments From mule@umich.edu 2004-09-13 03:13:29 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
829f02ed06fae36a91300efbf378f9af4051d93b  imlib-1.9.13-13.1.legacy.src.rpm
 
For Red Hat 9:
* Checked spec file - OK
* Checked patch for CAN-2004-0817 - OK
* Build from source - OK
* Install - OK
 
PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBRZzETsaUa9pp4VIRAgO/AJ0cCbGVhAe6ye63vw2viRZU27C6LgCfYigi
NcoARTheymA6uY3iTjbX/gk=
=vp0f
-----END PGP SIGNATURE-----



------- Additional Comments From peak@argo.troja.mff.cuni.cz 2004-09-16 07:23:18 ----

Created an attachment (id=845)
Imlib affected by a variant of CAN-2004-0782 too

I've discovered more vulnerabilities in Imlib (1.9.13). In particular, it
appears to be affected by a variant of Chris Evans' libXpm flaw #1
(CAN-2004-0782, see http://scary.beasts.org/security/CESA-2004-003.txt). Look
at the attached image, it kills ee on my 7.3.

Have a look at
http://www.troja.mff.cuni.cz/~peak/temp/imlib-1.9.13-4.7.x.legacy.src.rpm
This package (yes, I haven't increased the release number) includes a patch
fixing many additional vulnerabilities (both verified and potential) in Imlib
as well as a partial fix for world accessible shared memory segments (the other
part is in libgdk itself; I just can't believe this security hole has been
ignored for ages).




------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-16 15:12:24 ----

I checked out Pavel's patches from his imlib:

eb341f7095d8a875f0b05089aa02ee28a835f2c1  imlib-1.9.13-4.7.x.legacy.src.rpm

The patches look good and important.
We now need new packages for 7.3 and 9 with his new patches.

Pavel - will the shared memory segments patch work without a new libgdk?



------- Additional Comments From peak@argo.troja.mff.cuni.cz 2004-09-16 21:02:25 ----

Yes, the XShm patch works without a new libgdk. Imlib and libgdk (1.2) are the
two independent instances of the same problem (world r/w shared memory
segments). Both of them should be fixed to get rid of the problem in Gtk
programs (well, libgdk fix is probably more important because gdk creates a
long-lived segment) but the fixes don't depend on each other.



------- Additional Comments From michal@harddata.com 2004-09-19 17:54:35 ----

Indeed, Pavel's patches look sane to me and so far operating with imlib
patched that way I did not run into any troubles.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-26 05:58:38 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated imlib packages to QA for 7.3 and 9:

Changelog:
* Sun Sep 26 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
1:1.9.13-5.7.x.legacy
- - Added two security patches from Pavel Kankovsky:
  More buffer & arithmetic fixes (incl. a precursor for CAN-2004-0782).
  XSHM security

7.3:
32bc3d01f44e44fadd53a31f7637b6386ac73e27  imlib-1.9.13-5.7.x.legacy.i386.rpm
51fd1dd2e80eac52bdfbdd193a85bed7cd24a942  imlib-1.9.13-5.7.x.legacy.src.rpm
4264b7b24d38f214b13ca5558dccb13413b0b7aa 
imlib-cfgeditor-1.9.13-5.7.x.legacy.i386.rpm
b9e3417425bcbbffc46389071dc39cfe6855dcc8  imlib-devel-1.9.13-5.7.x.legacy.i386.rpm

9:
ddaac9bb687e608852edcc7ddc1e786194dd3425  imlib-1.9.13-13.2.legacy.i386.rpm
884369338656bc92bbfa22de6e8348fdb447a673  imlib-1.9.13-13.2.legacy.src.rpm
4da5f3ec03fa870d32010ef9553e4da6b08be7e4 
imlib-cfgeditor-1.9.13-13.2.legacy.i386.rpm
8b2e4513b1359712d46cec9b08572323170c49d2  imlib-devel-1.9.13-13.2.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/imlib-1.9.13-5.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/imlib-1.9.13-5.7.x.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/imlib-cfgeditor-1.9.13-5.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/imlib-devel-1.9.13-5.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/imlib-1.9.13-13.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/imlib-1.9.13-13.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/imlib-cfgeditor-1.9.13-13.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/imlib-devel-1.9.13-13.2.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBVucYLMAs/0C4zNoRAtZvAKCS+9U/veB5BxX/RwzWWMABGOQiZgCfaq/U
I9DOE0D9LQ2EgigGTLTDaiU=
=y9Ov
-----END PGP SIGNATURE-----



------- Additional Comments From ckelley@ibnads.com 2004-10-21 11:55:41 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
51fd1dd2e80eac52bdfbdd193a85bed7cd24a942  imlib-1.9.13-5.7.x.legacy.src.rpm
 
 - imlib-1.9.13-sec2.patch is big, but has a lot of boundary checking
   code in it; looks good
 - imlib-1.9.14-sec.patch is also big, but is mostly width/height/bpp
   boundary checking
 - imlib-1.9.13-xshmsec.patch contains shm 0600 access limits and sets
   some secure socket options; looks good
 - source builds fine
 - built binaries fuzzily match redhat's imlib-1.9.13-3.7.x
 - ee and gqview seem to function fine after installing
 
PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBeDBQyQ+yTHz+jJkRAncdAJsEdf4p3GYmsukEaLiIk2+uacvllACfSvdC
n2+ti7Y+rTZhO3Q2oFiNak4=
=tlxE
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-11-20 06:03:41 ----

Ut seems Pavel's patches have been assigned CAN-2004-1025:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138516

Must add this CAN number to the release notes...



------- Additional Comments From jpdalbec@ysu.edu 2004-12-13 12:26:39 ----

Do the latest imlib packages fix this?

04.49.13 CVE: CAN-2004-1026, CAN-2004-1025
Platform: Unix
Title: imlib Multiple BMP Image Decoding Buffer Overflow
Vulnerabilities
Description: imlib is a graphic library. IMLib is vulnerable to
multiple buffer overflow vulnerabilities when handling malformed
bitmap images. imlib version 1.9.14 is known to be vulnerable.
Ref: http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml 

(5) MODERATE: imlib Multiple Buffer Overflow Vulnerabilities
Affected:
imlib version 1.9.14 and prior

Description: imlib is an advanced image manipulation library that can
replace libXpm. The library is used by multiple Linux window managers.
This library contains buffer overflow vulnerabilities similar to the
ones found in libXpm. A malicious image may trigger the overflows, and
possibly execute arbitrary code on a client viewing the image via a
program linked against imlib. Proof-of-concepts exploits are publicly
available for the libXpm flaw.

Status: Various Linux vendors have released an update.

References:
Gentoo Advisory
http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml  
libXpm Flaws
http://www.sans.org/newsletters/risk/vol3_37.php (Item #5)
imlib Details
http://enlightenment.org/pages/imlib.html  
SecurityFocus BID
http://www.securityfocus.com/bid/11830  





------- Additional Comments From jpdalbec@ysu.edu 2004-12-13 12:28:02 ----

Oops, this too, sorry:

04.49.14 CVE: Not Available
Platform: Unix
Title: imlib Multiple Remote Integer Overflow Vulnerabilities
Description: The imlib graphics library is reported to be vulnerable
to multiple remote integer overflow conditions. An attacker may
leverage this towards arbitrary code execution and privilege
escalation. All current versions are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/11837/



------- Additional Comments From peak@argo.troja.mff.cuni.cz 2004-12-13 13:00:38 ----

1. The data in Bugtraq VulDB is, ehm, misleading.
2. Those bugs have been addressed by my patch (see comment #11).

BTW: Added CAN-2004-1026 as well. It appears bugs patched my patch got two
CAN's: 1025 and 1026; they probably wanted to split XPM buffer overflows from
arithmetic overflows and things have got messed up badly. Sigh.



------- Additional Comments From pekkas@netcore.fi 2004-12-20 10:28:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL9 SRPM against RHL's update from Dec 9 (imlib-1.9.13-13.4.src.rpm)
 - the sources match the originals
 - the patches have been renamed, and in one place diff segments are wrapped
   but they are OK.
 - one exception here is that RHEL3 does not include
   imlib-1.9.13-xshmsec.patch.

So, my question is: there apparently is no CAN corresponding to
imlib-1.9.13-xshmsec.patch, or did I miss something?  Has that bug been
publicly disclosed, reported to the authors and other distributions?

I'd prefer to see the others pick it up before going forward, even though it
looks sane.

Otherwise the RHL9 src.rpm looks good.

ALSO, while FC1 imlib update has fixed some flaws, it does not fix the
latter ones.  It seems we'll have to create packages for it as well?

884369338656bc92bbfa22de6e8348fdb447a673  imlib-1.9.13-13.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBxzXjGHbTkzxSL7QRAsUAAKDFomk9dM1mgs8dy6z1Dbj+DbMwhwCeN8j8
5yRg0UY0k+WryW99OwsHGQg=
=wRnu
-----END PGP SIGNATURE-----




------- Additional Comments From peak@argo.troja.mff.cuni.cz 2004-12-26 13:02:40 ----

> So, my question is: there apparently is no CAN
> corresponding to imlib-1.9.13-xshmsec.patch,
> or did I miss something?  Has that bug been
> publicly disclosed, reported to the authors
> and other distributions?

I admit I have not done all my homework, and have
not disclosed this problem to the public/other
distros yet. (It would be rather futile to attempt
to report it to the authors because Imlib is, afaict,
a dead project. :P)




------- Additional Comments From pekkas@netcore.fi 2005-01-03 22:30:39 ----

Could you send a note about this on bugtraq, or similar forum?  It would be nice
to see this picked up by other vendors as well before going forward.



------- Additional Comments From pekkas@netcore.fi 2005-02-26 01:15:41 ----

Ping to Pavel.. :-)



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:27 -------

This bug previously known as bug 2051 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2051
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Imlib affected by a variant of CAN-2004-0782 too
https://bugzilla.fedora.us/attachment.cgi?action=view&id=845

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Pekka Savola 2005-04-16 11:48:30 EDT
ping
Comment 2 Piotr Drąg 2008-11-08 16:27:00 EST
Closing Fedora Legacy bugs.

Note You need to log in before you can comment on or make changes to this bug.