Stefan Cornelius of the Secunia Research discovered and reported following issues affecting imlib2's PNM and XPM loaders: 1) A boundary error exists within the "load()" function in src/modules/loaders/loader_pnm.c when processing the header of a PNM image file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted PNM image in an application using the imlib2 library. Successful exploitation allows execution of arbitrary code. 2) A boundary error exists within the "load()" function in src/modules/loader_xpm.c when processing an XPM image file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted XPM image with an application using the imlib2 library. Successful exploitation may allow execution of arbitrary code. References: http://secunia.com/advisories/30401/ http://secunia.com/secunia_research/2008-25/advisory/ http://bugs.gentoo.org/show_bug.cgi?id=223965
Secunia advisory provides following solution: Fixed in the CVS repository. I fail to see any changes in imlib2 CVS repository: http://enlightenment.org/viewvc/e17/libs/imlib2/src/modules/loaders/ or am I looking into a wrong one?
The PNM loader issue seems to be already addressed in the Fedora packages in the following patch: http://cvs.fedoraproject.org/viewcvs/rpms/imlib2/devel/imlib2-1.3.0-loader_overflows.patch?view=markup This was added as a fix for CVE-2006-4809 (PNM) and CVE-2006-480[678] (other loaders modified by the patch).
Created attachment 307177 [details] Patch for XPM loader from upstream CVS
Created attachment 307178 [details] Patch for PNM loader from upstream CVS
I see that this has been fixed for F-8 - devel, and the fixed packages have been build by Tomas Smetana, Tomas a comment to this extend here would have been nice (as in saved me the time from looking into this). I see that you've also created updates for this in bodhi (good), but didn't mark them as security (bad) nor referenced this bug number (in which case a comment would have been added here, another way to notify others you are handling this and avoiding doublure of effort).
I must agree with Hans here. Please make sure to submit security updates as 'security' and refer to the bug filed against 'Security Response' product. I've fixed update requests.
Hm... Bodhi suggests to enter CVE numbers instead of bug numbers, so I entered those thinking "that's it"... Sorry for that. I'll keep it in mind for the next time.
Bodhi should accept BZ ids or BZ aliases. We set CVE id as an alias for 'Security Response' bugs. However, the code for handling aliases correctly is not yet deployed as far as I know, so you may have got 'Internal server error' when submitting update. Btw, this likely affects imlib2-1.3.0 in EPEL5 and may affect imlib2-1.2.1 in EPEL4 as well.
imlib2-1.4.0-7.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
imlib2-1.4.0-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
imlib2-1.3.0-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-4842 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4871