imlib: Vulnerable to GLSA 200412-03?

Message-ID: <email address hidden>
Date: Thu, 9 Dec 2004 15:51:07 +0100
From: Andreas Metzler <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: imlib: Vulnerable to GLSA 200412-03?

Package: imlib,imlib+png2
Severity: normal
Tags: security,patch

Hello,
---------------------
http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml
Synopsis
Multiple overflows have been found in the imlib library image decoding
routines, potentially allowing execution of arbitrary code.

2. Impact Information

Background

imlib is an advanced replacement library for image manipulation libraries like
libXpm. It is called by numerous programs, including gkrellm and several window
managers, to help in displaying images.

Description

Pavel Kankovsky discovered that several overflows found in the libXpm library
(see GLSA 200409-34) also applied to imlib. He also fixed a number of other
potential flaws.

Impact

A remote attacker could entice a user to view a carefully-crafted image file,
which would potentially lead to execution of arbitrary code with the rights of
the user viewing the image. This affects any program that makes use of the
imlib library.
[...]
---------------------

Links:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138516
https://bugzilla.fedora.us/show_bug.cgi?id=2051#c11
Patch:
http://gd.tuwien.ac.at/platform/Linux/gentoo-portage/media-libs/imlib/files/imlib-1.9.14-sec2.patch
(does apply cleanly to imlib 1.9.14-17 and imlib+png2 1.9.14-16.)

I am submitting as normal because the given exploit
(http://scary.beasts.org/misc/doom.xpm) does not work for me, and I'd
rather not use an inflated severity.
                 cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 14:31:55 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: CAN-2004-1026

--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 284925 serious
thanks

This is CAN-2004-1026; please use that number in any changelog entry
fixing this bug.

Unfortunatly, the CAN entry currently has no more info than a pointer to
GLSA-200412-03. I dug around and found the redhat bug at
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D138516

I was able to crash imlib1 using the image from here:
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=3D106366&action=3Dvi=
ew

--=20
see shy jo

--ikeVEW9yuYc//A+q
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBufmrd8HHehbQuO8RAt4/AJ9BkwFgfIS3p5Tj958kLeirq1a4NwCeNo6X
IPaKIXbLOatCy5iSbXnG67I=
=OqbN
-----END PGP SIGNATURE-----

--ikeVEW9yuYc//A+q--

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 22:58:08 +0100
From: Andreas Metzler <email address hidden>
To: Joey Hess <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: CAN-2004-1026 applies to imlib2, too.

clone 284925 -1
tags -1 - patch
# cloning as there is no ready to apply patch for imlib2, the bits and
# pieces from the given one will probably need to be included manually
# in loaders/loader_xpm.c
reassign -1 imlib2
thanks

Joey Hess <email address hidden> wrote:
| I was able to crash imlib1 using the image from here:
| https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=106366&action=view

That one works with imlib2, too:
ametzler@downhill:/tmp$ LANG=C LD_ASSUME_KERNEL=2.4.1 gdb feh
[...]
(gdb) run imlib_die.xpm
[...]
Program received signal SIGSEGV, Segmentation fault.
0x4023a695 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x4023a695 in strcat () from /lib/libc.so.6
#1 0x40020180 in load () from /usr/lib/imlib2_loaders/image/xpm.so
#2 0xbffff6e0 in ?? ()
[...]
               cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Message-ID: <email address hidden>
Date: Sat, 11 Dec 2004 11:32:13 +0100
From: Andreas Metzler <email address hidden>
To: <email address hidden>
Subject: Re: CAN-2004-1026 applies to imlib2, too.

On 2004-12-10 Andreas Metzler <email address hidden> wrote:
[...]
> Joey Hess <email address hidden> wrote:
> | I was able to crash imlib1 using the image from here:
> | https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=106366&action=view

> That one works with imlib2, too:
> ametzler@downhill:/tmp$ LANG=C LD_ASSUME_KERNEL=2.4.1 gdb feh
[...]

Identical results with the version in woody.
ii feh 1.1.1-1 imlib2 based image viewer
ii libimlib2 1.0.5-2woody1 Powerful image loading and rendering library
ii xlibs 4.1.0-16woody5 X Window System client libraries
               cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

This bug has been marked as a duplicate of bug 11113.

Message-ID: <email address hidden>
Date: Thu, 6 Jan 2005 17:52:04 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Ubuntu patch

--xHFwDpU9dbj6ez1V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tag 285138 patch
thanks

Hi!

Upstream fixed the XPM loader in CVS, and I notified him about the
outstanding BMP loader fix.

Here is the Ubuntu debdiff to fix these bugs:

http://patches.ubuntu.com/patches/imlib2.CAN-2004-1025.diff

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--xHFwDpU9dbj6ez1V
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB3Wy0DecnbV4Fd/IRAv8CAJ9pff4acqqsQjbjwmqpGUSkDelZ1gCg2Gzi
b+bufunD4O6ejAD/TsLAKYs=
=tdZA
-----END PGP SIGNATURE-----

--xHFwDpU9dbj6ez1V--

Message-ID: <email address hidden>
Date: Sat, 8 Jan 2005 00:02:10 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: imlib: Vulnerable to GLSA 200412-03?

--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 285138 +fixed
thanks

This bug was fixed in the NMU of imlib2 1.1.2-2.1, which referenced the
wrong bug number in the changelog by mistake.

Thanks,
--=20
Steve Langasek
postmodern programmer

--cNdxnHkX5QqsyA0e
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB35N+KN6ufymYLloRAgYtAJ9FUL+rtBHgqoPUXO4mKf516NNZ3wCfZlN0
9NlkNYR94do0OizFiM+Rgrc=
=9D8w
-----END PGP SIGNATURE-----

--cNdxnHkX5QqsyA0e--

Message-ID: <email address hidden>
Date: Mon, 10 Jan 2005 16:28:15 -0600
From: "Laurence J. Lane" <email address hidden>
To: <email address hidden>
Subject: cleanup

fixed in sarge with 1.1.2-2.1

Message-ID: <email address hidden>
Date: Tue, 11 Jan 2005 09:03:59 +0100
From: Andreas Metzler <email address hidden>
To: <email address hidden>
Subject: Re: Bug#285138 acknowledged by developer (cleanup)

On 2005-01-10 Debian Bug Tracking System <email address hidden> wrote:
> This is an automatic notification regarding your Bug report
> #285138: imlib: Vulnerable to GLSA 200412-03?,
> which was filed against the imlib2 package.

> It has been closed by one of the developers, namely
> "Laurence J. Lane" <email address hidden>.
[...]
> fixed in sarge with 1.1.2-2.1

Thanks, just for reference woody has also been fixed in
<http://www.debian.org/security/2005/dsa-628>, so we are clean.
           cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
                                           http://downhill.aus.cc/