+++ This bug was initially created as a clone of Bug #152923 +++ 05.10.14 CVE: CAN-2005-0665 Platform: Unix Title: xv Remote Format String Vulnerability Description: xv is an image manipulation utility for the X Window System. It is vulnerable to a remote format string vulnerability due to improper sanitization of user input and can be exploited by an attacker to execute arbitrary code. xv versions 3.10a and earlier are vulnerable. Ref: http://www.securityfocus.com/advisories/8184 05.10.15 CVE: CAN-2005-0605 Platform: Unix Title: libXpm Bitmap_unit Integer Overflow Description: libXpm is a graphics library that is shipped with the XOrg and XFree86 projects. libXpm is affected by an integer overflow vulnerability. There is no known workaround at this time. Ref: http://www.gentoo.org/security/en/glsa/glsa-200503-08.xml 05.10.16 CVE: CAN-2005-0639 Platform: Unix Title: xli and xloadimage Multiple Vulnerabilities Description: xli and xloadimage are X11 utilities for displaying and manipulating a wide range of image formats. xli and xloadimage are vulnerable to multiple security issues such as buffer overflows and input validation errors, potentially leading to the execution of arbitrary code. The fixes for these issues have been released in their cvs tree. Ref: http://www.gentoo.org/security/en/glsa/glsa-200503-05.xml UNIX Image Processing Utilities Multiple Vulnerabilities Affected packages: libXpm included in X11R6 version prior to 6.8.1 xli version 1.17 and prior xloadimage version 4.1 and prior xv version 3.10a and possibly prior Description: Multiple image manipulation utilities and the libXpm library contain vulnerabilities that may be exploited to compromise a UNIX client. (a) X PixMap (XPM) is an ASCII image format popularly used by the X Windows on UNIX systems. The libXpm library provides various functions to store and read XPM image files. The library contains an integer overflow that can be triggered by specifying a negative "bitmap_unit" value in a XPM image, and possibly exploited to execute arbitrary code. In order to exploit the flaw, an attacker has to entice a user (via email or another webpage) to view a malicious XPM file. The technical details can be obtained by examining the Gentoo Linux bug entries and the fixes. (b) The image loading and manipulation utilities - xli, xloadimage and xv contain vulnerabilities that may be exploited to execute arbitrary commands/code on a UNIX client via a specially crafted image. One of the flaws in xli is a well known vulnerability since 2001 for which exploit code is available. Note that these utilities may be linked with browsers such as Mozilla. Hence, a specially crafted webpage or an HTML email may exploit these flaws. Status: Gentoo has released updates for all the flaws. Council Site Actions: Most of the council sites are not using the affected software. One site has a very small number of affected systems. However, their UNIX systems are not used for graphics work, thus they have no plans for further action. A second site notified their system support group; they don't plan any further action as well. References: libXpm Integer Overflow Gentoo Advisory and Bug Information http://www.gentoo.org/security/en/glsa/glsa-200503-08.xml http://bugs.gentoo.org/show_bug.cgi?id=83655 http://bugs.gentoo.org/show_bug.cgi?id=83598 XPM File Format http://koala.ilog.fr/lehors/xpm.html xv, xloadimage and xli Vulnerabilities Exploit Code (xloadimage flaw discovered in 2001) http://downloads.securityfocus.com/vulnerabilities/exploits/xloadimageexp.c Gentoo Advisories http://www.gentoo.org/security/en/glsa/glsa-200503-05.xml http://www.gentoo.org/security/en/glsa/glsa-200503-09.xml SecurityFocus BID http://www.securityfocus.com/bid/12712 http://www.securityfocus.com/bid/12713 http://www.securityfocus.com/bid/12714 http://www.securityfocus.com/bid/12725 ------- Additional Comments From michal 2005-03-16 15:01:27 ---- This seems to be a bunch of different problems folded into one report thus making this hard to read, uderstand and follow up. In any case I do not recall xv beeing shipped in any of distributions of interest. Still the patch in question appears to be this one: --- xv.c 2005-03-01 15:20:50.153871368 +0000 +++ xv.c 2005-03-01 15:20:39.241530296 +0000 @@ -2249,7 +2249,7 @@ SetISTR(ISTR_INFO,formatStr); SetInfoMode(INF_PART); - SetISTR(ISTR_FILENAME, + SetISTR(ISTR_FILENAME, "%s", (filenum==DFLTPIC || filenum==GRABBED || frompipe) ? "<none>" : basefname); This assumes that whomever is using xv has older problems already fixed. xloadimage is indeed all over the place. xloadimageexp.c left me scratching my head. Not sure if xli was ever shipped. libXpm looks like yet another generic issue in an xpm code. Sigh! ------- Additional Comments From michal 2005-03-17 09:09:44 ---- Ubuntu packages are much easier to deal with than Gentoo 'portage-<something>.bz2' which later unpack to something like 500 Megs of stuff from which one has to fish out one or two lines of code. Here are some relevant references: Ubuntu USN-97-1 http://lwn.net/Alerts/127896/ (libXpm) http://security.ubuntu.com/ubuntu/pool/main/x/xfree86/xfree86_4.3.0.dfsg.1-6ubuntu25.2.diff.gz Ubuntu USN-92-1 http://lwn.net/Alerts/126639/ (lesstif) http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif1-1_0.93.94-4ubuntu1.3.diff.gz ------- Additional Comments From michal 2005-03-20 07:04:53 ---- xloadimage-4.1-34.FC3.src.rpm update with Build Date "Fri 18 Mar 2005" recompiles on RH7.3 without any changes (save identifier string in specs) although a problem quoted by a number in a changelog is CAN-2005-0638. ------- Bug moved to this database by dkl 2005-03-30 18:32 ------- This bug previously known as bug 2454 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2454 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
See #152923. I wonder which is the right place to track this.
Is Fedora Legacy project going to actually include this fix, or can we just close the bug report "WONTFIX" with explanation to upgrade to FC4?
I have opened bug 168264 for the CAN-2005-2495 multiple integer overflows issue. I suggest we close this bug as a DUPLICATE of bug 168264, so we can work on both XFree86 issues there. Updated RHEL packages have been issued that fix both CVE's, as is detailed there.
CAN-2005-0665 is for the program /usr/X11R6/bin/xv, which is part of the xv-3.10a-23.i386.rpm (from xv-3.10a-23.src.rpm) package. The latest version of this package was supplied as part of the Powertools of Red Hat Linux 7.0, and appears to have never been distributed in any later Red Hat or Fedora Core distribution. Therefore CAN-2005-0665 is not an issue that Fedora Legacy will deal with.
CAN-2005-0639 is a bug for xli / xloadimage *package), and is not a bug in XFree86/Xorg. Removing this CVE from the title.
CAN-2005-0605 is being handled in Bug 168264. Closing this bug as a DUPE. *** This bug has been marked as a duplicate of 168264 ***