A heap overflow issue has been discovered in the imlib BMP decoder. This issue deals with overflowing the color palette. It may be possible for this overflow to allow an attacker to execute malicious code. http://securitytracker.com/alerts/2004/Aug/1011104.html http://bugzilla.gnome.org/show_bug.cgi?id=151034 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130909 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130908 ------- Additional Comments From dom 2004-09-09 12:51:57 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages for QA at http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/ Patch https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=103392&action=view applied in both cases. Redhat 7.3: e55dce93a6501bf31281a74a54b0bfbc1b5196b4 imlib-1.9.13-3.8.x.legacy.src.rpm Redhat 9: dba5425a4f2ab09d16e5d6bf4444276eee3d00e2 imlib-1.9.13-13.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBQN58YzuFKFF44qURAtinAJ9SbCoLjKwyT1m3b1YDKXyGtP1wPwCg9y3y kSRpg1VfYxBLG4iQPsVlbNU= =kN42 -----END PGP SIGNATURE----- ------- Additional Comments From michal 2004-09-09 14:10:58 ---- > 7.3 .... imlib-1.9.13-3.8.x.legacy.src.rpm Numbering is somewhat unfortunate. The original had 1.9.13-3.7.x version, which means that packages were compiled for 7.x RH distros. Therefore the patched one should be 1.9.13-4.7.x.legacy, I would think. I do not see binary packages (but the same patch indded trivially applies to everything from 7.1 up to FC2 :-). ------- Additional Comments From mule 2004-09-10 09:27:40 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 dba5425a4f2ab09d16e5d6bf4444276eee3d00e2 imlib-1.9.13-13.legacy.src.rpm For Red Hat 9: * checking spec file Patch6: imlib-1.9.14-sec.patch um, am I missing something here or is this patch not getting applied in the spec file instructions... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBQf/VTsaUa9pp4VIRAk0vAJ9MiBWUjuqVbZmRnTnEm3sIImU2JQCfcmeh OuwAVAS41I5sF7jbS26xtO8= =4k89 -----END PGP SIGNATURE----- ------- Additional Comments From mule 2004-09-10 16:26:49 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To clarify my comment in comment #3: Comparing the last Red Hat spec file from source vs. from above: #diff imlib.spec imlib.spec.rh90 7c7 < Release: 13.legacy - - --- > Release: 12 34d33 < Patch6: imlib-1.9.14-sec.patch 149,151d147 < * Thu Sep 9 2004 Dominic Hargreaves <dom> < - Fix for heap overflow in BMP decoder (CAN-2004-0817) < Shouldn't there be a directive: %patch6 -p1 -b .sec or something? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBQmH0TsaUa9pp4VIRAkG2AKDLML3fcvO1C0Yx2tOzLq2n6wJijQCgo2/e J3IpxGtIQZryqZ7eP1IZojo= =g9yp -----END PGP SIGNATURE----- ------- Additional Comments From dom 2004-09-11 13:10:38 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry about that. Two new packages to fix the versioning and application of the patch, respectively: http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/ Redhat 7.3: a3686c6bc893f90e1d06be919edc57e330efc091 imlib-1.9.13-4.7.x.legacy.src.rpm Redhat 9: d3dbec2708fb878f42e4158e9d5d0a4f132ebabf imlib-1.9.13-14.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBQ4WeYzuFKFF44qURApWAAKDhrNDtqsZJwU+6fRDxGdTN8wfiNACfRogL BvUkFjTJ9hI5VDdJWxQS1VQ= =2Jek -----END PGP SIGNATURE----- ------- Additional Comments From mule 2004-09-11 16:14:34 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 d3dbec2708fb878f42e4158e9d5d0a4f132ebabf imlib-1.9.13-14.legacy.src.rpm For Red Hat 9: * Checked Patch imlib-1.9.14-sec.patch - OK * Inspected Spec file - OK * Build from Source - OK * Install - OK PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBQ7DgTsaUa9pp4VIRAnUCAKDC6uATEvFiY5SbtzpYxj+csu6FIwCfbbQS vF8jWTe3GEceLvGWrXXeD4I= =gVoO -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-09-12 15:01:17 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the 7.3 package: a3686c6bc893f90e1d06be919edc57e330efc091 imlib-1.9.13-4.7.x.legacy.src.rpm - - Source matches previous release - - Patch looks good - - Spec file looks good - - Builds and installs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBRPFyLMAs/0C4zNoRAuVLAKChgEwoTjH2PyxjZfBa6/RoOF9axwCfc3TX CLpV4rTAea7cNGTbTHFKM2c= =YJJk -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-09-12 15:02:33 ---- Just a quick note on the rh9 build: FC1 already has a package called imlib-1.9.13-14. Upgrades from rh9 to FC1 won't work. I suggest calling it imlib-1.9.13-13.1.legacy.src.rpm. ------- Additional Comments From dom 2004-09-12 15:07:52 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gah! Third time lucky... http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/ 829f02ed06fae36a91300efbf378f9af4051d93b imlib-1.9.13-13.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBRPLJYzuFKFF44qURAo7QAJ9zbY5lykg0cjXpVscBnw0sowtv/QCgvIUz AvvQp+mFccC+tPuapckXEvA= =MsU9 -----END PGP SIGNATURE----- ------- Additional Comments From mule 2004-09-13 03:13:29 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 829f02ed06fae36a91300efbf378f9af4051d93b imlib-1.9.13-13.1.legacy.src.rpm For Red Hat 9: * Checked spec file - OK * Checked patch for CAN-2004-0817 - OK * Build from source - OK * Install - OK PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBRZzETsaUa9pp4VIRAgO/AJ0cCbGVhAe6ye63vw2viRZU27C6LgCfYigi NcoARTheymA6uY3iTjbX/gk= =vp0f -----END PGP SIGNATURE----- ------- Additional Comments From peak.mff.cuni.cz 2004-09-16 07:23:18 ---- Created an attachment (id=845) Imlib affected by a variant of CAN-2004-0782 too I've discovered more vulnerabilities in Imlib (1.9.13). In particular, it appears to be affected by a variant of Chris Evans' libXpm flaw #1 (CAN-2004-0782, see http://scary.beasts.org/security/CESA-2004-003.txt). Look at the attached image, it kills ee on my 7.3. Have a look at http://www.troja.mff.cuni.cz/~peak/temp/imlib-1.9.13-4.7.x.legacy.src.rpm This package (yes, I haven't increased the release number) includes a patch fixing many additional vulnerabilities (both verified and potential) in Imlib as well as a partial fix for world accessible shared memory segments (the other part is in libgdk itself; I just can't believe this security hole has been ignored for ages). ------- Additional Comments From marcdeslauriers 2004-09-16 15:12:24 ---- I checked out Pavel's patches from his imlib: eb341f7095d8a875f0b05089aa02ee28a835f2c1 imlib-1.9.13-4.7.x.legacy.src.rpm The patches look good and important. We now need new packages for 7.3 and 9 with his new patches. Pavel - will the shared memory segments patch work without a new libgdk? ------- Additional Comments From peak.mff.cuni.cz 2004-09-16 21:02:25 ---- Yes, the XShm patch works without a new libgdk. Imlib and libgdk (1.2) are the two independent instances of the same problem (world r/w shared memory segments). Both of them should be fixed to get rid of the problem in Gtk programs (well, libgdk fix is probably more important because gdk creates a long-lived segment) but the fixes don't depend on each other. ------- Additional Comments From michal 2004-09-19 17:54:35 ---- Indeed, Pavel's patches look sane to me and so far operating with imlib patched that way I did not run into any troubles. ------- Additional Comments From marcdeslauriers 2004-09-26 05:58:38 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated imlib packages to QA for 7.3 and 9: Changelog: * Sun Sep 26 2004 Marc Deslauriers <marcdeslauriers> 1:1.9.13-5.7.x.legacy - - Added two security patches from Pavel Kankovsky: More buffer & arithmetic fixes (incl. a precursor for CAN-2004-0782). XSHM security 7.3: 32bc3d01f44e44fadd53a31f7637b6386ac73e27 imlib-1.9.13-5.7.x.legacy.i386.rpm 51fd1dd2e80eac52bdfbdd193a85bed7cd24a942 imlib-1.9.13-5.7.x.legacy.src.rpm 4264b7b24d38f214b13ca5558dccb13413b0b7aa imlib-cfgeditor-1.9.13-5.7.x.legacy.i386.rpm b9e3417425bcbbffc46389071dc39cfe6855dcc8 imlib-devel-1.9.13-5.7.x.legacy.i386.rpm 9: ddaac9bb687e608852edcc7ddc1e786194dd3425 imlib-1.9.13-13.2.legacy.i386.rpm 884369338656bc92bbfa22de6e8348fdb447a673 imlib-1.9.13-13.2.legacy.src.rpm 4da5f3ec03fa870d32010ef9553e4da6b08be7e4 imlib-cfgeditor-1.9.13-13.2.legacy.i386.rpm 8b2e4513b1359712d46cec9b08572323170c49d2 imlib-devel-1.9.13-13.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/imlib-1.9.13-5.7.x.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/imlib-1.9.13-5.7.x.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/imlib-cfgeditor-1.9.13-5.7.x.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/imlib-devel-1.9.13-5.7.x.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/imlib-1.9.13-13.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/imlib-1.9.13-13.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/imlib-cfgeditor-1.9.13-13.2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/imlib-devel-1.9.13-13.2.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBVucYLMAs/0C4zNoRAtZvAKCS+9U/veB5BxX/RwzWWMABGOQiZgCfaq/U I9DOE0D9LQ2EgigGTLTDaiU= =y9Ov -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-10-21 11:55:41 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 51fd1dd2e80eac52bdfbdd193a85bed7cd24a942 imlib-1.9.13-5.7.x.legacy.src.rpm - imlib-1.9.13-sec2.patch is big, but has a lot of boundary checking code in it; looks good - imlib-1.9.14-sec.patch is also big, but is mostly width/height/bpp boundary checking - imlib-1.9.13-xshmsec.patch contains shm 0600 access limits and sets some secure socket options; looks good - source builds fine - built binaries fuzzily match redhat's imlib-1.9.13-3.7.x - ee and gqview seem to function fine after installing PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBeDBQyQ+yTHz+jJkRAncdAJsEdf4p3GYmsukEaLiIk2+uacvllACfSvdC n2+ti7Y+rTZhO3Q2oFiNak4= =tlxE -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-11-20 06:03:41 ---- Ut seems Pavel's patches have been assigned CAN-2004-1025: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138516 Must add this CAN number to the release notes... ------- Additional Comments From jpdalbec 2004-12-13 12:26:39 ---- Do the latest imlib packages fix this? 04.49.13 CVE: CAN-2004-1026, CAN-2004-1025 Platform: Unix Title: imlib Multiple BMP Image Decoding Buffer Overflow Vulnerabilities Description: imlib is a graphic library. IMLib is vulnerable to multiple buffer overflow vulnerabilities when handling malformed bitmap images. imlib version 1.9.14 is known to be vulnerable. Ref: http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml (5) MODERATE: imlib Multiple Buffer Overflow Vulnerabilities Affected: imlib version 1.9.14 and prior Description: imlib is an advanced image manipulation library that can replace libXpm. The library is used by multiple Linux window managers. This library contains buffer overflow vulnerabilities similar to the ones found in libXpm. A malicious image may trigger the overflows, and possibly execute arbitrary code on a client viewing the image via a program linked against imlib. Proof-of-concepts exploits are publicly available for the libXpm flaw. Status: Various Linux vendors have released an update. References: Gentoo Advisory http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml libXpm Flaws http://www.sans.org/newsletters/risk/vol3_37.php (Item #5) imlib Details http://enlightenment.org/pages/imlib.html SecurityFocus BID http://www.securityfocus.com/bid/11830 ------- Additional Comments From jpdalbec 2004-12-13 12:28:02 ---- Oops, this too, sorry: 04.49.14 CVE: Not Available Platform: Unix Title: imlib Multiple Remote Integer Overflow Vulnerabilities Description: The imlib graphics library is reported to be vulnerable to multiple remote integer overflow conditions. An attacker may leverage this towards arbitrary code execution and privilege escalation. All current versions are reported to be vulnerable. Ref: http://www.securityfocus.com/bid/11837/ ------- Additional Comments From peak.mff.cuni.cz 2004-12-13 13:00:38 ---- 1. The data in Bugtraq VulDB is, ehm, misleading. 2. Those bugs have been addressed by my patch (see comment #11). BTW: Added CAN-2004-1026 as well. It appears bugs patched my patch got two CAN's: 1025 and 1026; they probably wanted to split XPM buffer overflows from arithmetic overflows and things have got messed up badly. Sigh. ------- Additional Comments From pekkas 2004-12-20 10:28:50 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9 SRPM against RHL's update from Dec 9 (imlib-1.9.13-13.4.src.rpm) - the sources match the originals - the patches have been renamed, and in one place diff segments are wrapped but they are OK. - one exception here is that RHEL3 does not include imlib-1.9.13-xshmsec.patch. So, my question is: there apparently is no CAN corresponding to imlib-1.9.13-xshmsec.patch, or did I miss something? Has that bug been publicly disclosed, reported to the authors and other distributions? I'd prefer to see the others pick it up before going forward, even though it looks sane. Otherwise the RHL9 src.rpm looks good. ALSO, while FC1 imlib update has fixed some flaws, it does not fix the latter ones. It seems we'll have to create packages for it as well? 884369338656bc92bbfa22de6e8348fdb447a673 imlib-1.9.13-13.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBxzXjGHbTkzxSL7QRAsUAAKDFomk9dM1mgs8dy6z1Dbj+DbMwhwCeN8j8 5yRg0UY0k+WryW99OwsHGQg= =wRnu -----END PGP SIGNATURE----- ------- Additional Comments From peak.mff.cuni.cz 2004-12-26 13:02:40 ---- > So, my question is: there apparently is no CAN > corresponding to imlib-1.9.13-xshmsec.patch, > or did I miss something? Has that bug been > publicly disclosed, reported to the authors > and other distributions? I admit I have not done all my homework, and have not disclosed this problem to the public/other distros yet. (It would be rather futile to attempt to report it to the authors because Imlib is, afaict, a dead project. :P) ------- Additional Comments From pekkas 2005-01-03 22:30:39 ---- Could you send a note about this on bugtraq, or similar forum? It would be nice to see this picked up by other vendors as well before going forward. ------- Additional Comments From pekkas 2005-02-26 01:15:41 ---- Ping to Pavel.. :-) ------- Bug moved to this database by dkl 2005-03-30 18:27 ------- This bug previously known as bug 2051 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2051 Originally filed under the Fedora Legacy product and Package request component. Attachments: Imlib affected by a variant of CAN-2004-0782 too https://bugzilla.fedora.us/attachment.cgi?action=view&id=845 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
ping
Closing Fedora Legacy bugs.