Bug 449073 - (CVE-2008-2426) CVE-2008-2426 imlib2: buffer overflows in PNM and XPM loaders
CVE-2008-2426 imlib2: buffer overflows in PNM and XPM loaders
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=vendor-sec,reported=20080527,p...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-30 05:06 EDT by Tomas Hoger
Modified: 2008-09-30 02:47 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-30 02:47:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for XPM loader from upstream CVS (836 bytes, patch)
2008-05-30 05:31 EDT, Tomas Hoger
no flags Details | Diff
Patch for PNM loader from upstream CVS (650 bytes, patch)
2008-05-30 05:32 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-05-30 05:06:50 EDT
Stefan Cornelius of the  Secunia Research discovered and reported following
issues affecting imlib2's PNM and XPM loaders:

1) A boundary error exists within the "load()" function in
src/modules/loaders/loader_pnm.c when processing the header of a
PNM image file. This can be exploited to cause a stack-based buffer
overflow by e.g. tricking a user into opening a specially crafted
PNM image in an application using the imlib2 library.

Successful exploitation allows execution of arbitrary code.

2) A boundary error exists within the "load()" function in
src/modules/loader_xpm.c when processing an XPM image file. This can
be exploited to cause a stack-based buffer overflow by e.g. tricking
a user into opening a specially crafted XPM image with an application
using the imlib2 library.

Successful exploitation may allow execution of arbitrary code.

References:
http://secunia.com/advisories/30401/
http://secunia.com/secunia_research/2008-25/advisory/
http://bugs.gentoo.org/show_bug.cgi?id=223965
Comment 2 Tomas Hoger 2008-05-30 05:15:16 EDT
Secunia advisory provides following solution:

  Fixed in the CVS repository.

I fail to see any changes in imlib2 CVS repository:

  http://enlightenment.org/viewvc/e17/libs/imlib2/src/modules/loaders/

or am I looking into a wrong one?
Comment 3 Tomas Hoger 2008-05-30 05:17:20 EDT
The PNM loader issue seems to be already addressed in the Fedora packages in the
following patch:

http://cvs.fedoraproject.org/viewcvs/rpms/imlib2/devel/imlib2-1.3.0-loader_overflows.patch?view=markup

This was added as a fix for CVE-2006-4809 (PNM) and CVE-2006-480[678] (other
loaders modified by the patch).
Comment 4 Tomas Hoger 2008-05-30 05:31:11 EDT
Created attachment 307177 [details]
Patch for XPM loader from upstream CVS
Comment 5 Tomas Hoger 2008-05-30 05:32:44 EDT
Created attachment 307178 [details]
Patch for PNM loader from upstream CVS
Comment 6 Hans de Goede 2008-05-31 03:20:11 EDT
I see that this has been fixed for F-8 - devel, and the fixed packages have been
build by Tomas Smetana, Tomas a comment to this extend here would have been nice
(as in saved me the time from looking into this).

I see that you've also created updates for this in bodhi (good), but didn't mark
them as security (bad) nor referenced this bug number (in which case a comment
would have been added here, another way to notify others you are handling this
and avoiding doublure of effort).
Comment 7 Tomas Hoger 2008-05-31 15:54:44 EDT
I must agree with Hans here.  Please make sure to submit security updates as
'security' and refer to the bug filed against 'Security Response' product.  I've
fixed update requests.
Comment 8 Tomas Smetana 2008-06-02 01:51:48 EDT
Hm... Bodhi suggests to enter CVE numbers instead of bug numbers, so I entered
those thinking "that's it"...  Sorry for that.  I'll keep it in mind for the
next time.
Comment 9 Tomas Hoger 2008-06-02 02:34:11 EDT
Bodhi should accept BZ ids or BZ aliases.  We set CVE id as an alias for
'Security Response' bugs.  However, the code for handling aliases correctly is
not yet deployed as far as I know, so you may have got 'Internal server error'
when submitting update.

Btw, this likely affects imlib2-1.3.0 in EPEL5 and may affect imlib2-1.2.1 in
EPEL4 as well.
Comment 10 Fedora Update System 2008-06-03 03:29:50 EDT
imlib2-1.4.0-7.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-06-03 03:31:43 EDT
imlib2-1.4.0-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-06-03 03:36:29 EDT
imlib2-1.3.0-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Red Hat Product Security 2008-09-30 02:47:19 EDT
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-4842
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4871

Note You need to log in before you can comment on or make changes to this bug.