Red Hat Bugzilla – Bug 449073
CVE-2008-2426 imlib2: buffer overflows in PNM and XPM loaders
Last modified: 2008-09-30 02:47:19 EDT
Stefan Cornelius of the Secunia Research discovered and reported following
issues affecting imlib2's PNM and XPM loaders:
1) A boundary error exists within the "load()" function in
src/modules/loaders/loader_pnm.c when processing the header of a
PNM image file. This can be exploited to cause a stack-based buffer
overflow by e.g. tricking a user into opening a specially crafted
PNM image in an application using the imlib2 library.
Successful exploitation allows execution of arbitrary code.
2) A boundary error exists within the "load()" function in
src/modules/loader_xpm.c when processing an XPM image file. This can
be exploited to cause a stack-based buffer overflow by e.g. tricking
a user into opening a specially crafted XPM image with an application
using the imlib2 library.
Successful exploitation may allow execution of arbitrary code.
Secunia advisory provides following solution:
Fixed in the CVS repository.
I fail to see any changes in imlib2 CVS repository:
or am I looking into a wrong one?
The PNM loader issue seems to be already addressed in the Fedora packages in the
This was added as a fix for CVE-2006-4809 (PNM) and CVE-2006-480 (other
loaders modified by the patch).
Created attachment 307177 [details]
Patch for XPM loader from upstream CVS
Created attachment 307178 [details]
Patch for PNM loader from upstream CVS
I see that this has been fixed for F-8 - devel, and the fixed packages have been
build by Tomas Smetana, Tomas a comment to this extend here would have been nice
(as in saved me the time from looking into this).
I see that you've also created updates for this in bodhi (good), but didn't mark
them as security (bad) nor referenced this bug number (in which case a comment
would have been added here, another way to notify others you are handling this
and avoiding doublure of effort).
I must agree with Hans here. Please make sure to submit security updates as
'security' and refer to the bug filed against 'Security Response' product. I've
fixed update requests.
Hm... Bodhi suggests to enter CVE numbers instead of bug numbers, so I entered
those thinking "that's it"... Sorry for that. I'll keep it in mind for the
Bodhi should accept BZ ids or BZ aliases. We set CVE id as an alias for
'Security Response' bugs. However, the code for handling aliases correctly is
not yet deployed as far as I know, so you may have got 'Internal server error'
when submitting update.
Btw, this likely affects imlib2-1.3.0 in EPEL5 and may affect imlib2-1.2.1 in
EPEL4 as well.
imlib2-1.4.0-7.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
imlib2-1.4.0-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
imlib2-1.3.0-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: