Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0991 to the following vulnerability: Name: CVE-2010-0991 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0991 Assigned: 20100318 Reference: BUGTRAQ:20100421 Secunia Research: imlib2 "IMAGE_DIMENSIONS_OK()" Logic Error Reference: URL: http://www.securityfocus.com/archive/1/archive/1/510866/100/0/threaded Reference: MISC: http://secunia.com/secunia_research/2010-54/ Reference: SECUNIA:39354 Reference: URL: http://secunia.com/advisories/39354 Reference: VUPEN:ADV-2010-0959 Reference: URL: http://www.vupen.com/english/advisories/2010/0959 Multiple heap-based buffer overflows in imlib2 1.4.3 allow context-dependent attackers to execute arbitrary code via a crafted (1) ARGB, (2) XPM, or (3) BMP file, related to the IMAGE_DIMENSIONS_OK macro in lib/image.h. NOTE: We currently ship imlib 1.4.2 in Fedora (to rawhide) and the advisory noted in the SecurityFocus archives indicates that _only_ 1.4.3 is affected, not previous versions (verified by checking our imlib2 source; there is no IMAGE_DIMENSIONS_OK() macro). However, 1.4.3 is the current version available for download, so this is to ensure that if imlib2 does get updated to 1.4.3, it includes a fix, or we skip it and wait for 1.4.4 to be released. The advisory also indicates this is fixed in upstream svn: Index: image.h =================================================================== --- image.h (revision 43242) +++ image.h (revision 47825) @@ -190,6 +190,6 @@ # define IMAGE_DIMENSIONS_OK(w, h) \ ( ((w) > 0) && ((h) > 0) && \ - ((unsigned long long)(w) * (unsigned long long)(w) <= (1ULL << 29) - 1) ) + ((unsigned long long)(w) * (unsigned long long)(h) <= (1ULL << 29) - 1) ) #endif
I see new 1.4.3 builds in koji that include the patch. Thank you for including the patch! http://koji.fedoraproject.org/koji/buildinfo?buildID=168404 http://koji.fedoraproject.org/koji/buildinfo?buildID=168405 So the 1.4.3 builds in Fedora 13 and rawhide contain the patch to correct this flaw.