Bug 152923 - xloadimage vulnerabilities CAN-2005-0638, CAN-2005-3178
xloadimage vulnerabilities CAN-2005-0638, CAN-2005-3178
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: xloadimage (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
rh73, rh90, 1, 2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-11 03:49 EST by John Dalbec
Modified: 2007-04-18 13:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-12 20:52:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:32:25 EST
05.10.14 CVE: CAN-2005-0665
Platform: Unix
Title: xv Remote Format String Vulnerability
Description: xv is an image manipulation utility for the X Window
System. It is vulnerable to a remote format string vulnerability due
to improper sanitization of user input and can be exploited by an
attacker to execute arbitrary code. xv versions 3.10a and earlier are
vulnerable.
Ref: http://www.securityfocus.com/advisories/8184 

05.10.15 CVE: CAN-2005-0605
Platform: Unix
Title: libXpm Bitmap_unit Integer Overflow
Description: libXpm is a graphics library that is shipped with the
XOrg and XFree86 projects. libXpm is affected by an integer overflow
vulnerability. There is no known workaround at this time.
Ref: http://www.gentoo.org/security/en/glsa/glsa-200503-08.xml 

05.10.16 CVE: CAN-2005-0639
Platform: Unix
Title: xli and xloadimage Multiple Vulnerabilities
Description: xli and xloadimage are X11 utilities for displaying and
manipulating a wide range of image formats. xli and xloadimage are
vulnerable to multiple security issues such as buffer overflows and
input validation errors, potentially leading to the execution of
arbitrary code. The fixes for these issues have been released in their
cvs tree.
Ref: http://www.gentoo.org/security/en/glsa/glsa-200503-05.xml 

UNIX Image Processing Utilities Multiple Vulnerabilities
Affected packages:
libXpm included in X11R6 version prior to 6.8.1
xli version 1.17 and prior
xloadimage version 4.1 and prior
xv version 3.10a and possibly prior

Description: Multiple image manipulation utilities and the libXpm
library contain vulnerabilities that may be exploited to compromise a
UNIX client.

(a) X PixMap (XPM) is an ASCII image format popularly used by the X
Windows on UNIX systems. The libXpm library provides various functions
to store and read XPM image files. The library contains an integer
overflow that can be triggered by specifying a negative "bitmap_unit"
value in a XPM image, and possibly exploited to execute arbitrary code.
In order to exploit the flaw, an attacker has to entice a user (via
email or another webpage) to view a malicious XPM file. The technical
details can be obtained by examining the Gentoo Linux bug entries and
the fixes.

(b) The image loading and manipulation utilities - xli, xloadimage and
xv contain vulnerabilities that may be exploited to execute arbitrary
commands/code on a UNIX client via a specially crafted image. One of the
flaws in xli is a well known vulnerability since 2001 for which exploit
code is available. Note that these utilities may be linked with browsers
such as Mozilla. Hence, a specially crafted webpage or an HTML email may
exploit these flaws.

Status: Gentoo has released updates for all the flaws.

Council Site Actions:  Most of the council sites are not using the
affected software.  One site has a very small number of affected
systems. However, their UNIX systems are not used for graphics work,
thus they have no plans for further action.  A second site notified
their system support group; they don't plan any further action as well.

References:
libXpm Integer Overflow
Gentoo Advisory and Bug Information
http://www.gentoo.org/security/en/glsa/glsa-200503-08.xml    
http://bugs.gentoo.org/show_bug.cgi?id=83655  
http://bugs.gentoo.org/show_bug.cgi?id=83598 
XPM File Format
http://koala.ilog.fr/lehors/xpm.html  
xv, xloadimage and xli Vulnerabilities
Exploit Code (xloadimage flaw discovered in 2001)
http://downloads.securityfocus.com/vulnerabilities/exploits/xloadimageexp.c 
Gentoo Advisories
http://www.gentoo.org/security/en/glsa/glsa-200503-05.xml 
http://www.gentoo.org/security/en/glsa/glsa-200503-09.xml  
SecurityFocus BID
http://www.securityfocus.com/bid/12712 
http://www.securityfocus.com/bid/12713 
http://www.securityfocus.com/bid/12714 
http://www.securityfocus.com/bid/12725



------- Additional Comments From michal@harddata.com 2005-03-16 15:01:27 ----

This seems to be a bunch of different problems folded into one report
thus making this hard to read, uderstand and follow up.

In any case I do not recall xv beeing shipped in any of distributions
of interest.  Still the patch in question appears to be this one:

--- xv.c        2005-03-01 15:20:50.153871368 +0000
+++ xv.c        2005-03-01 15:20:39.241530296 +0000
@@ -2249,7 +2249,7 @@
   SetISTR(ISTR_INFO,formatStr);
        
   SetInfoMode(INF_PART);
-  SetISTR(ISTR_FILENAME, 
+  SetISTR(ISTR_FILENAME, "%s",
          (filenum==DFLTPIC || filenum==GRABBED || frompipe)
          ? "<none>" : basefname);
 
This assumes that whomever is using xv has older problems already fixed.

xloadimage is indeed all over the place.  xloadimageexp.c left me scratching
my head. Not sure if xli was ever shipped.

libXpm looks like yet another generic issue in an xpm code.  Sigh!



------- Additional Comments From michal@harddata.com 2005-03-17 09:09:44 ----

Ubuntu packages are much easier to deal with than Gentoo 'portage-<something>.bz2'
which later unpack to something like 500 Megs of stuff from which one has to
fish out one or two lines of code.  Here are some relevant references:
Ubuntu USN-97-1  http://lwn.net/Alerts/127896/  (libXpm)
http://security.ubuntu.com/ubuntu/pool/main/x/xfree86/xfree86_4.3.0.dfsg.1-6ubuntu25.2.diff.gz
Ubuntu USN-92-1  http://lwn.net/Alerts/126639/  (lesstif)
http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif1-1_0.93.94-4ubuntu1.3.diff.gz



------- Additional Comments From michal@harddata.com 2005-03-20 07:04:53 ----

xloadimage-4.1-34.FC3.src.rpm update with Build Date "Fri 18 Mar 2005" recompiles
on RH7.3 without any changes (save identifier string in specs) although a problem
quoted by a number in a changelog is CAN-2005-0638.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:32 -------

This bug previously known as bug 2454 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2454
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Pekka Savola 2005-05-22 03:23:50 EDT
CAN-2005-0605 affects openmotif as well; see
https://rhn.redhat.com/errata/RHSA-2005-412.html
Comment 2 David Eisenstein 2005-09-29 10:30:08 EDT
Since this is a bug for package "xloadimage", I think the only CVE that is
relevant to this bug report should be CAN-2005-0639.  The two other CVE's are
for different packages.
Comment 3 Pekka Savola 2005-10-01 00:51:22 EDT
I've cleaned up the summary line.
Comment 4 Donald Maner 2006-03-16 17:30:41 EST
Shouldn't this be CVE-2005-0638 and not CVE-2005-0639?  CVE-2005-0639 applies to
xli only, CVE-2005-0638 to xli and xloadimage.
Comment 5 Donald Maner 2006-03-16 17:39:14 EST
Add CAN-2005-3178 to this as well.
Comment 6 Donald Maner 2006-03-16 18:36:30 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have created the following patches:

rh73:
ea00930909d08331e7e0bc6746d4fa66fc5761c4
http://lance.maner.org/xloadimage-4.1-21.1.legacy.src.rpm

rh9:
e25e1758fd6c1f9e6ecb04f82a13509e17cc80cd
http://lance.maner.org/xloadimage-4.1-27.1.legacy.src.rpm

fc1:
d879c4532942277d592ec46d78fdb6756b1f901a
http://lance.maner.org/xloadimage-4.1-29.1.legacy.src.rpm

fc2:
c455fa54f8aa73d7f28d579f7c3cdeac56180047
http://lance.maner.org/xloadimage-4.1-30.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFEGffJpxMPKJzn2lIRAqlcAKC9BG3UGBZ7QshwoHGxAL8dlo6VXgCgqcUF
x08bU25aHANnSe6vIdS78as=
=0AQL
-----END PGP SIGNATURE-----
Comment 7 Pekka Savola 2006-03-17 04:56:34 EST
The FC2 package probably needs to be redone, you probably didn't notice that the
latest FC2 package is "xloadimage-4.1-34.FC2.src.rpm" ?

The patches were OK.  There was unnecessary spec file rename in RHL73 package,
but for consistency, that shouldn't be a problem.
Comment 8 Donald Maner 2006-03-17 07:56:14 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whoops.  Thanks Pekka.  Correct version below.

fc2:
345a3702ec4f770edc37094d2e8d984a06102b1a
http://lance.maner.org/xloadimage-4.1-34.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFEGrM1pxMPKJzn2lIRAgAXAJoDRLQHqkrLdgBsyZgTzUCMUhbKtwCfTW6V
PSrbi1o6tNmi7p+SFnAVYME=
=rXxn
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2006-03-17 08:20:49 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal (RHL73 was just a rename)
 - patches are identical to upstream
 
NOTE: I'm not sure if the FC2 package may need to be renamed, but that can
be done at build time if needed.
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
ea00930909d08331e7e0bc6746d4fa66fc5761c4  xloadimage-4.1-21.1.legacy.src.rpm
e25e1758fd6c1f9e6ecb04f82a13509e17cc80cd  xloadimage-4.1-27.1.legacy.src.rpm
d879c4532942277d592ec46d78fdb6756b1f901a  xloadimage-4.1-29.1.legacy.src.rpm
345a3702ec4f770edc37094d2e8d984a06102b1a  xloadimage-4.1-34.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEGrjpGHbTkzxSL7QRAr3wAKChLmhOxPtMkfLyVUDvzaVYgLKgsQCgtnDk
oAAz3egrRRtNU2x8qV7yKXY=
=BY5P
-----END PGP SIGNATURE-----
Comment 10 Marc Deslauriers 2006-03-28 19:32:49 EST
Packages were pushed to updates-testing
Comment 11 Pekka Savola 2006-04-17 12:28:36 EDT
Timeout over.
Comment 12 Marc Deslauriers 2006-05-12 20:52:02 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.