imlib: Vulnerable to GLSA 200412-03?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Debian |
Fix Released
|
Unknown
|
|||
Ubuntu |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #284925 http://
In Debian Bug tracker #284925, Joey Hess (joeyh) wrote : CAN-2004-1026 | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Automatically imported from Debian bug report #284925 http://
Debian Bug Importer (debzilla) wrote : | #3 |
Message-ID: <email address hidden>
Date: Thu, 9 Dec 2004 15:51:07 +0100
From: Andreas Metzler <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: imlib: Vulnerable to GLSA 200412-03?
Package: imlib,imlib+png2
Severity: normal
Tags: security,patch
Hello,
-------
http://
Synopsis
Multiple overflows have been found in the imlib library image decoding
routines, potentially allowing execution of arbitrary code.
2. Impact Information
Background
imlib is an advanced replacement library for image manipulation libraries like
libXpm. It is called by numerous programs, including gkrellm and several window
managers, to help in displaying images.
Description
Pavel Kankovsky discovered that several overflows found in the libXpm library
(see GLSA 200409-34) also applied to imlib. He also fixed a number of other
potential flaws.
Impact
A remote attacker could entice a user to view a carefully-crafted image file,
which would potentially lead to execution of arbitrary code with the rights of
the user viewing the image. This affects any program that makes use of the
imlib library.
[...]
-------
Links:
https:/
https:/
Patch:
http://
(does apply cleanly to imlib 1.9.14-17 and imlib+png2 1.9.14-16.)
I am submitting as normal because the given exploit
(http://
rather not use an inflated severity.
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 14:31:55 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: CAN-2004-1026
--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-
Content-
severity 284925 serious
thanks
This is CAN-2004-1026; please use that number in any changelog entry
fixing this bug.
Unfortunatly, the CAN entry currently has no more info than a pointer to
GLSA-200412-03. I dug around and found the redhat bug at
https:/
I was able to crash imlib1 using the image from here:
https:/
ew
--=20
see shy jo
--ikeVEW9yuYc//A+q
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBufmrd8H
IPaKIXbLOatCy5i
=OqbN
-----END PGP SIGNATURE-----
--ikeVEW9yuYc/
In Debian Bug tracker #284925, Andreas Metzler (ametzler-downhill) wrote : CAN-2004-1026 applies to imlib2, too. | #5 |
clone 284925 -1
tags -1 - patch
# cloning as there is no ready to apply patch for imlib2, the bits and
# pieces from the given one will probably need to be included manually
# in loaders/
reassign -1 imlib2
thanks
Joey Hess <email address hidden> wrote:
| I was able to crash imlib1 using the image from here:
| https:/
That one works with imlib2, too:
ametzler@
[...]
(gdb) run imlib_die.xpm
[...]
Program received signal SIGSEGV, Segmentation fault.
0x4023a695 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x4023a695 in strcat () from /lib/libc.so.6
#1 0x40020180 in load () from /usr/lib/
#2 0xbffff6e0 in ?? ()
[...]
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 22:58:08 +0100
From: Andreas Metzler <email address hidden>
To: Joey Hess <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: CAN-2004-1026 applies to imlib2, too.
clone 284925 -1
tags -1 - patch
# cloning as there is no ready to apply patch for imlib2, the bits and
# pieces from the given one will probably need to be included manually
# in loaders/
reassign -1 imlib2
thanks
Joey Hess <email address hidden> wrote:
| I was able to crash imlib1 using the image from here:
| https:/
That one works with imlib2, too:
ametzler@
[...]
(gdb) run imlib_die.xpm
[...]
Program received signal SIGSEGV, Segmentation fault.
0x4023a695 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x4023a695 in strcat () from /lib/libc.so.6
#1 0x40020180 in load () from /usr/lib/
#2 0xbffff6e0 in ?? ()
[...]
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
In Debian Bug tracker #284925, Andreas Metzler (ametzler-downhill) wrote : Re: Bug#284925: imlib: Vulnerable to GLSA 200412-03? | #7 |
On 2004-12-09 Andreas Metzler <email address hidden> wrote:
> Package: imlib,imlib+png2
> Severity: normal
> Tags: security,patch
> Hello,
> -------
> http://
> Synopsis
> Multiple overflows have been found in the imlib library image decoding
> routines, potentially allowing execution of arbitrary code.
[...]
Applies to woody, too.
WOODYametzler@
(gdb) run imlib_die.xpm
Starting program: /tmp/imlib-
Program received signal SIGSEGV, Segmentation fault.
0x400b2464 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x400b2464 in strcat () from /lib/libc.so.6
#1 0x4001f44f in _LoadXPM () from /usr/lib/
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
ii imlib1 1.9.14-2wody1 Imlib is an imaging library for X and X11
ii xlibs 4.1.0-16woody5 X Window System client libraries
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Sat, 11 Dec 2004 11:48:30 +0100
From: Andreas Metzler <email address hidden>
To: <email address hidden>
Subject: Re: Bug#284925: imlib: Vulnerable to GLSA 200412-03?
On 2004-12-09 Andreas Metzler <email address hidden> wrote:
> Package: imlib,imlib+png2
> Severity: normal
> Tags: security,patch
> Hello,
> -------
> http://
> Synopsis
> Multiple overflows have been found in the imlib library image decoding
> routines, potentially allowing execution of arbitrary code.
[...]
Applies to woody, too.
WOODYametzler@
(gdb) run imlib_die.xpm
Starting program: /tmp/imlib-
Program received signal SIGSEGV, Segmentation fault.
0x400b2464 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x400b2464 in strcat () from /lib/libc.so.6
#1 0x4001f44f in _LoadXPM () from /usr/lib/
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
ii imlib1 1.9.14-2wody1 Imlib is an imaging library for X and X11
ii xlibs 4.1.0-16woody5 X Window System client libraries
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
In Debian Bug tracker #284925, Steve Langasek (vorlon) wrote : | #9 |
I've prepared an NMU for imlib based on the Red Hat patch, which I will
be uploading shortly; I've confirmed that imlib11 no longer segfaults
with the sample image after this patch is applied.
Note that the Red Hat patch includes a typo (semicolon at the end of an
if) that almost certainly leaves a hole open; this has been corrected in
the attached patch.
Thanks,
--
Steve Langasek
postmodern programmer
In Debian Bug tracker #284925, Steve Langasek (vorlon) wrote : Fixed in NMU of imlib 1.9.14-17.1 | #10 |
tag 284925 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 16 Dec 2004 05:57:41 -0800
Source: imlib
Binary: imlib11 imlib11-dev
Architecture: source i386
Version: 1.9.14-17.1
Distribution: unstable
Urgency: high
Maintainer: Steve M. Robbins <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Description:
imlib11 - Imlib is an imaging library for X and X11
imlib11-dev - Imlib is an imaging library for X and X11
Closes: 284925
Changes:
imlib (1.9.14-17.1) unstable; urgency=high
.
* Non-maintainer upload.
* High-urgency upload for sarge-targetted RC bugfix
* CAN-2004-1026: fix various overflows in image decoding routines.
Closes: #284925.
Files:
d585194cae8f04
9b39a9987e9e83
02ceef8f9a47ca
ce9868ba61f3f5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBw2tVKN6
PBx0CdFNpQywQ4i
=x3VC
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Fri, 17 Dec 2004 15:26:43 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: imlib: Vulnerable to GLSA 200412-03?
--65ImJOski3p8EhYV
Content-Type: multipart/mixed; boundary=
Content-
--WBsA/oQW3eTA3LlM
Content-Type: text/plain; charset=us-ascii
Content-
Content-
I've prepared an NMU for imlib based on the Red Hat patch, which I will
be uploading shortly; I've confirmed that imlib11 no longer segfaults
with the sample image after this patch is applied.
Note that the Red Hat patch includes a typo (semicolon at the end of an
if) that almost certainly leaves a hole open; this has been corrected in
the attached patch.
Thanks,
--=20
Steve Langasek
postmodern programmer
--WBsA/oQW3eTA3LlM
Content-Type: text/plain; charset=us-ascii
Content-
Content-
diff -u imlib-1.
--- imlib-1.
+++ imlib-1.
@@ -4,6 +4,8 @@
#include "Imlib_private.h"
#include <setjmp.h>
=20
+#define G_MAXINT ((int) 0x7fffffff)
+
/* Split the ID - damages input */
=20
static char *
@@ -41,13 +43,17 @@
=20
/*
* Make sure we don't wrap on our memory allocations
+ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp
+ * + 3 is safety margin
*/
=20
void * _imlib_
{
- if( w > 32767 || h > 32767)
+ if (w <=3D 0 || w > 32767 ||
+ h <=3D 0 || h > 32767 ||
+ h >=3D (G_MAXINT/4 - 1) / w)
- return malloc(w * h * 3);
+ return malloc(w * h * 3 + 3);
}
=20
#ifdef HAVE_LIBJPEG
@@ -360,7 +366,9 @@
npix =3D ww * hh;
*w =3D (int)ww;
*h =3D (int)hh;
- if(ww > 32767 || hh > 32767)
+ if (ww <=3D 0 || ww > 32767 ||
+ hh <=3D 0 || hh > 32767 ||
+ hh >=3D (G_MAXINT/
{
return NULL;
@@ -463,7 +471,7 @@
}
*w =3D gif->Image.Width;
*h =3D gif->Image.Height;
- if (*h > 32767 || *w > 32767)
+ if (*h <=3D 0 || *h > 32767 || *w <=3D 0 || *w > 32767)
{
return NULL;
}
@@ -965,7 +973,12 @@
comment =3D 0;
quote =3D 0;
context =3D 0;
+ memset(lookup, 0, sizeof(lookup));
+
line =3D malloc(lsz);
+ if (!line)
+ return NULL;
+
while (!done)
{
pc =3D c;
@@ -994,25 +1007,25 @@
{
/* Header */
sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
- if (ncolors > 32766)
+ if (ncolors <=3D 0 || ncolors > 32766)
{
ported\n");
return NULL;
}
- if (cpp > 5)
+ if (cpp <=3D 0 || cpp > 5)
{
> 5 not supported\n");
return NULL;
}
- if (*w > 32767)
+ if (*w <=3D 0 || *w > 32767)
...
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Fri, 17 Dec 2004 18:47:05 -0500
From: Steve Langasek <email address hidden>
To: <email address hidden>
Cc: Steve Langasek <email address hidden>, <email address hidden> (Steve M. Robbins)
Subject: Fixed in NMU of imlib 1.9.14-17.1
tag 284925 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 16 Dec 2004 05:57:41 -0800
Source: imlib
Binary: imlib11 imlib11-dev
Architecture: source i386
Version: 1.9.14-17.1
Distribution: unstable
Urgency: high
Maintainer: Steve M. Robbins <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Description:
imlib11 - Imlib is an imaging library for X and X11
imlib11-dev - Imlib is an imaging library for X and X11
Closes: 284925
Changes:
imlib (1.9.14-17.1) unstable; urgency=high
.
* Non-maintainer upload.
* High-urgency upload for sarge-targetted RC bugfix
* CAN-2004-1026: fix various overflows in image decoding routines.
Closes: #284925.
Files:
d585194cae8f04
9b39a9987e9e83
02ceef8f9a47ca
ce9868ba61f3f5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBw2tVKN6
PBx0CdFNpQywQ4i
=x3VC
-----END PGP SIGNATURE-----
In Debian Bug tracker #284925, Steve Langasek (vorlon) wrote : Fixed in NMU of imlib+png2 1.9.14-16.1 | #13 |
tag 284925 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 17 Dec 2004 23:33:23 -0800
Source: imlib+png2
Binary: gdk-imlib1 imlib-progs gdk-imlib1-dev imlib1 imlib1-dev imlib-base
Architecture: source i386 all
Version: 1.9.14-16.1
Distribution: unstable
Urgency: high
Maintainer: Steve M. Robbins <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Description:
gdk-imlib1 - imaging library for use with gtk (using libpng2)
gdk-imlib1-dev - Header files needed for Gdk-Imlib development (using libpng2)
imlib-base - Common files needed by the Imlib/Gdk-Imlib packages
imlib-progs - Configuration program for Imlib and GDK-Imlib
imlib1 - imaging library for X and X11 (using libpng2)
imlib1-dev - Header files needed for Imlib development (using libpng2)
Closes: 284925
Changes:
imlib+png2 (1.9.14-16.1) unstable; urgency=high
.
* Non-maintainer upload.
* High-urgency upload for sarge-targetted RC bugfix
* CAN-2004-1026: fix various overflows in image decoding routines.
Closes: #284925.
Files:
e63e257fa7686c
a85cae6e6c1ed4
03d7e5dc5a7090
85cf5bd7387439
3da22542142634
bb25a71304e4d4
d1bd1913c98ff8
24a28e3d2eb559
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBw+
OI+2aI6x0vP5qle
=yGmn
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #14 |
Message-Id: <email address hidden>
Date: Sat, 18 Dec 2004 03:02:05 -0500
From: Steve Langasek <email address hidden>
To: <email address hidden>
Cc: Steve Langasek <email address hidden>, <email address hidden> (Steve M. Robbins)
Subject: Fixed in NMU of imlib+png2 1.9.14-16.1
tag 284925 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 17 Dec 2004 23:33:23 -0800
Source: imlib+png2
Binary: gdk-imlib1 imlib-progs gdk-imlib1-dev imlib1 imlib1-dev imlib-base
Architecture: source i386 all
Version: 1.9.14-16.1
Distribution: unstable
Urgency: high
Maintainer: Steve M. Robbins <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Description:
gdk-imlib1 - imaging library for use with gtk (using libpng2)
gdk-imlib1-dev - Header files needed for Gdk-Imlib development (using libpng2)
imlib-base - Common files needed by the Imlib/Gdk-Imlib packages
imlib-progs - Configuration program for Imlib and GDK-Imlib
imlib1 - imaging library for X and X11 (using libpng2)
imlib1-dev - Header files needed for Imlib development (using libpng2)
Closes: 284925
Changes:
imlib+png2 (1.9.14-16.1) unstable; urgency=high
.
* Non-maintainer upload.
* High-urgency upload for sarge-targetted RC bugfix
* CAN-2004-1026: fix various overflows in image decoding routines.
Closes: #284925.
Files:
e63e257fa7686c
a85cae6e6c1ed4
03d7e5dc5a7090
85cf5bd7387439
3da22542142634
bb25a71304e4d4
d1bd1913c98ff8
24a28e3d2eb559
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBw+
OI+2aI6x0vP5qle
=yGmn
-----END PGP SIGNATURE-----
In Debian Bug tracker #284925, Steve Langasek (vorlon) wrote : | #15 |
tags 284925 +woody sarge
tags 284925 -fixed
thanks
As expected, the previously supplied patch applies equally well to
imlib+png2, requiring only an edit of debian/changelog.
An NMU of this package has also been uploaded, so this bug now only applies
to sarge and woody (and only to the imlib package in the latter case).
Thanks,
--
Steve Langasek
postmodern programmer
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 00:47:54 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: imlib: Vulnerable to GLSA 200412-03?
--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tags 284925 +woody sarge
tags 284925 -fixed
thanks
As expected, the previously supplied patch applies equally well to
imlib+png2, requiring only an edit of debian/changelog.
An NMU of this package has also been uploaded, so this bug now only applies
to sarge and woody (and only to the imlib package in the latter case).
Thanks,
--=20
Steve Langasek
postmodern programmer
--AhhlLboLdkugWU4S
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBw+
4+XGaXEY8KQ7WUr
=N8kf
-----END PGP SIGNATURE-----
--AhhlLboLdkugW
In Debian Bug tracker #284925, Andreas Metzler (ametzler-downhill) wrote : NMU fixing these bugs has propagated to sarge | #17 |
# both imlib+png2 1.9.14-16.1 and imlib 1.9.14-17.1 have propagated to
# sarge
tags 284925 - sarge
thanks
cu andreas
Debian Bug Importer (debzilla) wrote : | #18 |
Message-ID: <email address hidden>
Date: Tue, 21 Dec 2004 22:44:15 +0100
From: Andreas Metzler <email address hidden>
To: <email address hidden>
Subject: NMU fixing these bugs has propagated to sarge
# both imlib+png2 1.9.14-16.1 and imlib 1.9.14-17.1 have propagated to
# sarge
tags 284925 - sarge
thanks
cu andreas
In Debian Bug tracker #284925, Martin Schulze (joey-infodrom) wrote : CVE ids | #19 |
FWIW: These is problems have been assigned both CAN-2004-1025 and CAN-2004-1026.
Regards,
Joey
--
Open source is important from a technical angle. -- Linus Torvalds
Please always Cc to me when replying to me on the lists.
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 19:18:05 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CVE ids
FWIW: These is problems have been assigned both CAN-2004-1025 and CAN-2004-1026.
Regards,
Joey
--
Open source is important from a technical angle. -- Linus Torvalds
Please always Cc to me when replying to me on the lists.
Martin Pitt (pitti) wrote : | #21 |
*** Bug 11118 has been marked as a duplicate of this bug. ***
Martin Pitt (pitti) wrote : | #22 |
Fixed in Warty:
imlib+png2 (1.9.14-
.
* SECURITY UPDATE: fix several buffer and integer overflows in image
decoding routines (Ubuntu bug #11113)
* Thanks to Pavel Kankovsky for discovering this and the patch
* References:
CAN-2004-1025, CAN-2004-1026
http://
Sync requested for Hoary.
This affects imlib2, too, so I leave the bug open for now.
Martin Pitt (pitti) wrote : | #23 |
I notified upstream and asked about the status about this.
Martin Pitt (pitti) wrote : | #24 |
(In reply to comment #12)
> This affects imlib2, too, so I leave the bug open for now.
Fixed in Warty in imlib2_
Fixed in Hoary in imlib2_
In Debian Bug tracker #284925, Joey Hess (joeyh) wrote : Fixed in NMU of imlib2 1.1.2-2.1 | #25 |
tag 284925 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 6 Jan 2005 16:29:53 -0500
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source i386
Version: 1.1.2-2.1
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
libimlib2 - powerful image loading and rendering library
libimlib2-dev - Imlib2 development files
Closes: 284925
Changes:
imlib2 (1.1.2-2.1) unstable; urgency=HIGH
.
* NMU with the following changes taken from the Ubuntu patch by Martin Pitt
Closes: #284925
* SECURITY UPDATE: fix several buffer overflows
* loaders/
* loaders/
- check for negative image attributes
- check the length of the "col" buffer to avoid overflowing it
- patch taken from upstream CVS
* References:
CAN-2004-1025
CAN-2004-1026
Files:
4e044b53efef65
f7544bcfd3e37b
e8042c1cc46f7f
ccccd58406e6db
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB3bIe2tp
yWkZ3yo0hIubBkI
=uH3I
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #26 |
Message-Id: <email address hidden>
Date: Thu, 06 Jan 2005 17:02:07 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>, <email address hidden> (Laurence J. Lane)
Subject: Fixed in NMU of imlib2 1.1.2-2.1
tag 284925 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 6 Jan 2005 16:29:53 -0500
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source i386
Version: 1.1.2-2.1
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
libimlib2 - powerful image loading and rendering library
libimlib2-dev - Imlib2 development files
Closes: 284925
Changes:
imlib2 (1.1.2-2.1) unstable; urgency=HIGH
.
* NMU with the following changes taken from the Ubuntu patch by Martin Pitt
Closes: #284925
* SECURITY UPDATE: fix several buffer overflows
* loaders/
* loaders/
- check for negative image attributes
- check the length of the "col" buffer to avoid overflowing it
- patch taken from upstream CVS
* References:
CAN-2004-1025
CAN-2004-1026
Files:
4e044b53efef65
f7544bcfd3e37b
e8042c1cc46f7f
ccccd58406e6db
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB3bIe2tp
yWkZ3yo0hIubBkI
=uH3I
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #27 |
Message-Id: <email address hidden>
Date: Sat, 5 Mar 2005 16:46:59 +0900 (KST)
From: =?ISO-2022-
To: <email address hidden>
To: <email address hidden>
Subject: =?ISO-2022-
�������
�������
�����@�
���@�@�
�@�@�@http://
�������
�������
�������
�@
���@�@�
�@���@�
��
�@���@�
��
�@���@�
�@�@�@http://
�������
�BoO��Oo�
�����T�̃C�`�I�V!!!
�������
��
���ŐV�̃
�������
http://
�E�E�
��������
�@�����
�@�@���
�@�@�@�
�@�@�@�
�@�@�@�
�������
�`���Ă͂
�������
�J�[�Z�
�l�C�̂Ȃ�
�����x�
�������
�����[�
�E�~���
�E���ǂ͂
�E�f�ڏ�
�E�����
�E �g�Ɋo��
�@�w�lj�
�@�����
�@
�@�@http://
�������
�������
Debian Bug Importer (debzilla) wrote : | #28 |
Message-Id: <email address hidden>
Date: Sun, 13 Mar 2005 03:09:24 -0800
From: "sadfa" <email address hidden>
Subject: =?GB2312?
=?GB2312?B?SA==?=
To: <email address hidden>
Content-Type: text/plain;
Reply-To: <email address hidden>
Date: Sun, 13 Mar 2005 19:09:25 +0800
X-Priority: 3
X-Mailer: FoxMail 4.0 beta 2 [cn]
�T�C�t�
���Ȃ��Ȃ�
���ŔY�܂
http://
�l�̉\��
�\��ċ��
http://
�c�C��
Debian Bug Importer (debzilla) wrote : | #29 |
Message-Id: <email address hidden>
Date: Mon, 14 Mar 2005 17:56:44 -0800
From: "sada" <email address hidden>
Subject: =?GB2312?
=?GB2312?
To: <email address hidden>
Content-Type: text/plain;
Reply-To: <email address hidden>
Date: Tue, 15 Mar 2005 09:56:47 +0800
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
�`�E�`�
����\�I�
�ޏ�����
�������
�L���o�
�s�ϑ���
�_����
���ꂩ���
http://
�`�E�`�
�����̖�����<email address hidden>
�܂Ń��[�����������B
Debian Bug Importer (debzilla) wrote : | #30 |
Message-Id: <email address hidden>
Date: Tue, 15 Mar 2005 19:37:57 -0800
From: "safa" <email address hidden>
Subject: =?GB2312?
=?GB2312?
To: <email address hidden>
Content-Type: text/plain;
Reply-To: asfas@.com
Date: Wed, 16 Mar 2005 11:38:00 +0800
X-Priority: 3
X-Mailer: FoxMail 4.0 beta 2 [cn]
�Q/�Q/�
�������
���̕Ћ����������ŁA
�������
http://
���肰�ȁ`
���肰�ȁ`
http://
�Q/�Q/�
�z�M����<email address hidden>
Debian Bug Importer (debzilla) wrote : | #31 |
Message-Id: <email address hidden>
Date: Sat, 09 Apr 2005 06:40:32 -0700
From: "wriuiouewe" <email address hidden>
Subject: =?GB2312?
=?GB2312?
To: <email address hidden>
Content-Type: text/plain;
Reply-To: <email address hidden>
Date: Sat, 9 Apr 2005 21:40:21 +0800
X-Priority: 3
X-Mailer: Microsoft Outlook Express 5.00.2615.200
�������
(ToT)/~~~
http://
http://
�������
�Q�[���
�������
���[�����ۂ͂������ŁB
<email address hidden>
*******
In Debian Bug tracker #284925, Peter Eisentraut (petere) wrote : Package has been removed | #32 |
This package has been removed from sid and etch, so the bugs are no
longer applicable.
In Debian Bug tracker #284925, Peter Eisentraut (petere) wrote : reopening 284925 | #33 |
# Automatically generated email from bts, devscripts version 2.9.20
# maybe keep that one
reopen 284925
In Debian Bug tracker #284925, Adam D. Barratt (debian-bts-adam-barratt) wrote : Bugs fixed in NMU, documenting versions | #34 |
# Hi,
#
# These bugs were fixed in an NMU, but have not been acknowledged by the
# maintainers. With version tracking in the Debian BTS, it is important
# to know which version of a package fixes each bug so that they can be
# tracked for release status, so I'm closing these bugs with the
#relevant version information now
close 271146 2.10c-3.1
close 271221 0.9.14-1.1
close 273411 0.9.14-1.1
close 271673 6:6.0.6.2-1.3
close 271956 1.0-7.1
close 272245 2.04-11.2
close 273043 5.0.13-0.1
close 273338 1.2-4.2
close 273357 0.16.14-1.2
close 271221 0.9.14-1.1
close 273411 0.9.14-1.1
close 273613 1.0.5-1.1
close 273800 1.3-0.1
close 274087 2.1.19-1.2
close 275431 2.1.19-1.2
close 274106 1:19970918-12.2
close 274501 0.99.16-1.1
close 274503 0.99.17-2.1
close 274507 0.4-9.1
close 274955 0.3.35.1
close 275432 1.5.28-6.2
close 276637 2.1.19-1.4
close 276825 3.8.3-4.1
close 276851 0.61-6.1
close 278001 0.99.17-2.2
close 279483 6.1
close 279484 1.1
close 280309 1.5-9.1
close 212905 1.5-9.1
close 235681 1.5-9.1
close 236463 1.5-9.1
close 280337 3.2.0.115-7.1
close 356855 3.2.0.115-7.1
close 281282 0.9.3-2
close 282879 2.04-11.1
close 300174 1.0.0b-4.1
close 283756 0.63-1.2
close 284741 0.1.18-1.2
close 284872 0.70-pre2003112
close 284925 1.1.2-2.1
close 285058 1.2-7.1
close 347152 0.9.7.1+
close 285528 2.3.11-1.1
close 322368 2.3.11-1.1
close 285605 2.1.19-1.6
close 285628 0.8.3-1.1
close 285762 0.94-7woody4
close 289464 0.94-7woody4
close 285889 0.98.38-1.1
close 285902 20050625-0.1
close 285918 3.06-9.1
close 288966 3.06-9.1
close 326367 3.06-9.1
close 346671 3.06-9.1
close 286309 1:0.5.0-1.1
close 286633 1:0.5.0-1.1
close 286492 2.5.7-3
close 329499 2.5.7-3
close 287059 2.0.12-1.1
close 287066 2.1.1-3.1
close 314008 2.1.1-3.1
close 327992 2.1.1-3.1
close 287190 1.99.11-1.1
close 287628 0.6-10.1
close 323728 0.6-10.1
close 287629 2.0b3-13.1
close 287639 0.6.2-2.1
close 287677 1.4.8-9.1
close 206905 0.7-7.1
close 221950 0.7-7.1
close 287749 0.7-7.1
close 296526 0.7-7.1
close 317259 0.7-7.1
close 287886 0.4.2+cvs.
close 336046 0.4.2+cvs.
close 287891 2.1.8-2.1
close 326106 2.1.8-2.1
close 275651 0.6.0-8.1
close 287923 0.6.0-8.1
close 313937 0.6.0-8.1
close 324839 0.6.0-8.1
close 288158 200300506-1.1
close 288441 1.0.8-1.1
close 336944 1.0.8-1.1
close 288536 0.0.7E6F3-4.1
close 290390 0.0.7E6F3-4.1
close 295080 0.0.7E6F3-4.1
close 318375 0.0.7E6F3-4.1
close 288819 0.1.5.9+
close 288834 0.2.1-1.1
close 307036 0.2.1-1.1
close 322985 0.2.1-1.1
close 322993 0.2.1-1.1
close 288925 0.9.5+really0.
severity 284925 serious
thanks
This is CAN-2004-1026; please use that number in any changelog entry
fixing this bug.
Unfortunatly, the CAN entry currently has no more info than a pointer to /bugzilla. redhat. com/bugzilla/ show_bug. cgi?id= 138516
GLSA-200412-03. I dug around and found the redhat bug at
https:/
I was able to crash imlib1 using the image from here: /bugzilla. redhat. com/bugzilla/ attachment. cgi?id= 106366& action= view
https:/
--
see shy jo