libxpm4: new buffer overflow security hole (CAN-2005-0605)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libxpm (Debian) |
Fix Released
|
Unknown
|
|||
libxpm (Ubuntu) |
Fix Released
|
High
|
Daniel Stone |
Bug Description
Automatically imported from Debian bug report #299272 http://
In Debian Bug tracker #299272, Joey Hess (joeyh) wrote : Fixed in NMU of lesstif1-1 1:0.93.94-11.1 | #1 |
In Debian Bug tracker #299272, Branden Robinson (branden) wrote : xfree86 4.1.0-16woody6 available to fix CAN-2005-0605 | #2 |
The following URL contains source and binary packages for powerpc resolving
CAN-2005-0605[1], which is described as:
The XPM library's scan.c file may allow attackers to execute arbitrary code
by crafting a malicious XPM image file containing a negative bitmap_unit
value that provokes a buffer overflow.
http://
I'm attaching a GPG-signed file, MD5SUMS.txt, that you can use to verify
the download.
This package makes two changes:
1) It applies the purported fix for CAN-2005-0605. I know of no exploit
for this vulnerability, so I was unable to test this.
2) It fixes the regression in XPM file-writing introduced by the fix for
CAN-2004-0914 (in -16woody5). I confirmed that saving XPM files in a
woody environment with -16woody5 with the GIMP didn't work, and that
upgrading to -16woody6 restored the functionality.
Please also find at the above URL:
* my package build log, xfree86_
clean, up-to-date woody chroot
* xfree86_
installing and purging these packages in a woody chroot
* xfree86_
upgrading these packages from -16woody5 and downgrading them back to
-16woody5 in a woody chroot
* test-x11-packages, the shell script I used to automate the above QA tests
Please let me know if you require anything else regarding this
vulnerability.
[1] http://
--
G. Branden Robinson | Somewhere, there is a .sig so funny
Debian GNU/Linux | that reading it will cause an
<email address hidden> | aneurysm. This is not that .sig.
http://
In Debian Bug tracker #299272, Martin Schulze (joey-infodrom) wrote : | #3 |
Branden Robinson wrote:
> The following URL contains source and binary packages for powerpc resolving
> CAN-2005-0605[1], which is described as:
>
> The XPM library's scan.c file may allow attackers to execute arbitrary code
> by crafting a malicious XPM image file containing a negative bitmap_unit
> value that provokes a buffer overflow.
Looks fine, pushed into the buildd network. Thanks a lot!
Regards,
Joey
--
A mathematician is a machine for converting coffee into theorems. Paul Erdös
Please always Cc to me when replying to me on the lists.
In Debian Bug tracker #299272, Branden Robinson (branden) wrote : #298939 should not have been marked fixed by lesstif1-1 NMU | #4 |
clone 298939 -1
retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CAN-2005-0605
reassign -1 lesstif1-1
# I don't actually know if it's fixed upstream yet in LessTif, but I'm
# guessing it's not.
tag -1 - fixed-upstream
# libxpm4 is not fixed until the security buildds' packages are uploaded.
tag 298939 - fixed
thanks
Hi Joey,
Did you mean to only reference #298939 in your NMU of lesstif1-1? You said
"Closes:", which marked as fixed the bug I filed against libxpm4, which is
not part of lesstif1-1 and is not yet fixed.
I am assuming your closing of #298939 is in error (since it's not
accurate), and cloning a copy of it for CAN-2005-0605's affect of
lesstif1-1.
--
G. Branden Robinson |
Debian GNU/Linux | If ignorance is bliss,
<email address hidden> | is omniscience hell?
http://
In Debian Bug tracker #299272, Joey Hess (joeyh) wrote : | #5 |
tag 298183 fixed
merge 298183 299236
thanks
Branden Robinson wrote:
> clone 298939 -1
> retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CAN-2005-0605
> reassign -1 lesstif1-1
> # I don't actually know if it's fixed upstream yet in LessTif, but I'm
> # guessing it's not.
> tag -1 - fixed-upstream
> # libxpm4 is not fixed until the security buildds' packages are uploaded.
> tag 298939 - fixed
> thanks
>
> Hi Joey,
>
> Did you mean to only reference #298939 in your NMU of lesstif1-1? You said
> "Closes:", which marked as fixed the bug I filed against libxpm4, which is
> not part of lesstif1-1 and is not yet fixed.
>
> I am assuming your closing of #298939 is in error (since it's not
> accurate), and cloning a copy of it for CAN-2005-0605's affect of
> lesstif1-1.
Sorry, I meant to refer to bug #298183 which was already open on
lesstif1 for the same vulnerability.
--
see shy jo
In Debian Bug tracker #299272, Branden Robinson (branden) wrote : cloning another copy of #298939 for xfree86 4.3 | #6 |
clone 298939 -1
reassign -1 libxpm4
retitle 298939 xlibs: new buffer overflow security hole (CAN-2005-0605)
reassign 298939 xlibs
# Per the bug logs, the Debian Security Team has xfree86 4.1.0-16woody6,
# which fixes this. It's also fixed in the X Strike Force Subversion
# repository for XFree86, in branches/
tag 298939 + pending woody
thanks
--
G. Branden Robinson | Any man who does not realize that
Debian GNU/Linux | he is half an animal is only half a
<email address hidden> | man.
http://
In Debian Bug tracker #299272, Branden Robinson (branden) wrote : tagging 299272 | #7 |
# Automatically generated email from bts, devscripts version 2.8.10
# fixed in Debian X Strike Force XFree86 repository; to view, run "svn diff -r 2216:2217 svn://necrotic.
tags 299272 + pending
Debian Bug Importer (debzilla) wrote : | #8 |
Automatically imported from Debian bug report #299272 http://
Debian Bug Importer (debzilla) wrote : | #9 |
Message-Id: <email address hidden>
Date: Thu, 10 Mar 2005 14:01:37 -0500
From: Branden Robinson <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libxpm4: new buffer overflow security hole (CAN-2005-0605)
Package: libxpm4
Version: 4.3.0.dfsg.1-12
Severity: grave
Tags: security, upstream, fixed-upstream, patch
CAN-2005-0605 indicates that "scan.c for LibXPM may allow attackers to
execute arbitrary code via a negative bitmap_unit value that leads to a
buffer overflow."
Patch is here:
https:/
Description is here:
https:/
Gentoo issued an advisory about this on 4 March.
Ubuntu issued an advisory about this on 7 March.
I learned about this from Linux Weekly News.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.9-powerpc-smp
Locale: LANG=C, LC_CTYPE=
Versions of packages libxpm4 depends on:
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
-- no debconf information
Debian Bug Importer (debzilla) wrote : | #10 |
Message-Id: <email address hidden>
Date: Thu, 10 Mar 2005 21:17:04 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>, Sam Hocevar (Debian packages) <email address hidden>
Subject: Fixed in NMU of lesstif1-1 1:0.93.94-11.1
tag 298939 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 10 Mar 2005 16:34:21 -0500
Source: lesstif1-1
Binary: lesstif-bin lesstif2 lesstif-dev lesstif2-dev lesstif-doc lesstif1
Architecture: source i386 all
Version: 1:0.93.94-11.1
Distribution: unstable
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
lesstif-bin - user binaries for LessTif
lesstif-dev - development library and header files for LessTif 1.2
lesstif-doc - documentation for LessTif
lesstif1 - OSF/Motif 1.2 implementation released under LGPL
lesstif2 - OSF/Motif 2.1 implementation released under LGPL
lesstif2-dev - development library and header files for LessTif 2.1
Closes: 298939
Changes:
lesstif1-1 (1:0.93.94-11.1) unstable; urgency=HIGH
.
* NMU
* Apply fix for newest libXpm buffer overflows in lesstif1, involving a
negative bitmap_unit value. Fixed both lesstif1 and lesstif2.
Closes: #298939 (CAN-2005-0605)
Files:
a422c21d24213b
411faaae59989c
4ebc9aba7278d1
316c7354bcda42
46d7302f480f98
dea270bc7f7b3c
d582252380bc2c
e789bd635bf66b
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCMPcK2tp
rp1259h6+
=HdVa
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Fri, 11 Mar 2005 03:35:32 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
--ONvqYzh+7ST5RsLk
Content-Type: multipart/mixed; boundary=
Content-
--0XMZdl/q8hSSmFeD
Content-Type: text/plain; charset=us-ascii
Content-
Content-
The following URL contains source and binary packages for powerpc resolving
CAN-2005-0605[1], which is described as:
The XPM library's scan.c file may allow attackers to execute arbitrary co=
de
by crafting a malicious XPM image file containing a negative bitmap_unit
value that provokes a buffer overflow.
http://
I'm attaching a GPG-signed file, MD5SUMS.txt, that you can use to verify
the download.
This package makes two changes:
1) It applies the purported fix for CAN-2005-0605. I know of no exploit
for this vulnerability, so I was unable to test this.
2) It fixes the regression in XPM file-writing introduced by the fix for
CAN-2004-0914 (in -16woody5). I confirmed that saving XPM files in a
woody environment with -16woody5 with the GIMP didn't work, and that
upgrading to -16woody6 restored the functionality.
Please also find at the above URL:
* my package build log, xfree86_
clean, up-to-date woody chroot
* xfree86_
installing and purging these packages in a woody chroot
* xfree86_
upgrading these packages from -16woody5 and downgrading them back to
-16woody5 in a woody chroot
* test-x11-packages, the shell script I used to automate the above QA tests
Please let me know if you require anything else regarding this
vulnerability.
[1] http://
--=20
G. Branden Robinson | Somewhere, there is a .sig so funny
Debian GNU/Linux | that reading it will cause an
<email address hidden> | aneurysm. This is not that .sig.
http://
--0XMZdl/q8hSSmFeD
Content-Type: text/plain; charset=us-ascii
Content-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
dc1bbb9c290e460
7eaf6c70e8487b4
d027aec099ddc53
7426a90be3e1ab4
2c4328c9b53c408
57afc54ca1cb13c
d212615fe6cef3b
e71a3371682dc10
ae63ca1629e7fbd
e4e0b7bdb045587
a4ca4226ecaf5...
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Sat, 12 Mar 2005 16:44:07 +0100
From: Martin Schulze <email address hidden>
To: Branden Robinson <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
Branden Robinson wrote:
> The following URL contains source and binary packages for powerpc resol=
ving
> CAN-2005-0605[1], which is described as:
>=20
> The XPM library's scan.c file may allow attackers to execute arbitrar=
y code
> by crafting a malicious XPM image file containing a negative bitmap_u=
nit
> value that provokes a buffer overflow.
Looks fine, pushed into the buildd network. Thanks a lot!
Regards,
Joey
--=20
A mathematician is a machine for converting coffee into theorems. Paul =
Erd=F6s
Please always Cc to me when replying to me on the lists.
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Sat, 12 Mar 2005 15:37:52 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: #298939 should not have been marked fixed by lesstif1-1 NMU
--FeAIMMcddNRN4P4/
Content-Type: text/plain; charset=us-ascii
Content-
Content-
clone 298939 -1
retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CAN-=
2005-0605
reassign -1 lesstif1-1
# I don't actually know if it's fixed upstream yet in LessTif, but I'm
# guessing it's not.
tag -1 - fixed-upstream
# libxpm4 is not fixed until the security buildds' packages are uploaded.
tag 298939 - fixed
thanks
Hi Joey,
Did you mean to only reference #298939 in your NMU of lesstif1-1? You said
"Closes:", which marked as fixed the bug I filed against libxpm4, which is
not part of lesstif1-1 and is not yet fixed.
I am assuming your closing of #298939 is in error (since it's not
accurate), and cloning a copy of it for CAN-2005-0605's affect of
lesstif1-1.
--=20
G. Branden Robinson |
Debian GNU/Linux | If ignorance is bliss,
<email address hidden> | is omniscience hell?
http://
--FeAIMMcddNRN4P4/
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iEYEARECAAYFAkI
dXoAoI3eOuL3GbL
=HlLc
-----END PGP SIGNATURE-----
--FeAIMMcddNRN4
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Sat, 12 Mar 2005 17:53:36 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: #298939 should not have been marked fixed by lesstif1-1 NMU
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tag 298183 fixed
merge 298183 299236
thanks
Branden Robinson wrote:
> clone 298939 -1
> retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CA=
N-2005-0605
> reassign -1 lesstif1-1
> # I don't actually know if it's fixed upstream yet in LessTif, but I'm
> # guessing it's not.
> tag -1 - fixed-upstream
> # libxpm4 is not fixed until the security buildds' packages are uploaded.
> tag 298939 - fixed
> thanks
>=20
> Hi Joey,
>=20
> Did you mean to only reference #298939 in your NMU of lesstif1-1? You sa=
id
> "Closes:", which marked as fixed the bug I filed against libxpm4, which is
> not part of lesstif1-1 and is not yet fixed.
>=20
> I am assuming your closing of #298939 is in error (since it's not
> accurate), and cloning a copy of it for CAN-2005-0605's affect of
> lesstif1-1.
Sorry, I meant to refer to bug #298183 which was already open on
lesstif1 for the same vulnerability.
--=20
see shy jo
--d6Gm4EdcadzBjdND
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCM3Lvd8H
Y7oGURkfv29QQqc
=GuJw
-----END PGP SIGNATURE-----
--d6Gm4EdcadzBj
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Sun, 13 Mar 2005 01:17:38 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>
Subject: cloning another copy of #298939 for xfree86 4.3
--v541l457l4DThMFo
Content-Type: text/plain; charset=us-ascii
Content-
Content-
clone 298939 -1
reassign -1 libxpm4
retitle 298939 xlibs: new buffer overflow security hole (CAN-2005-0605)
reassign 298939 xlibs
# Per the bug logs, the Debian Security Team has xfree86 4.1.0-16woody6,
# which fixes this. It's also fixed in the X Strike Force Subversion
# repository for XFree86, in branches/
tag 298939 + pending woody
thanks
--=20
G. Branden Robinson | Any man who does not realize that
Debian GNU/Linux | he is half an animal is only half a
<email address hidden> | man.
http://
--v541l457l4DThMFo
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iEYEARECAAYFAkI
U04AmwXen7HYKqf
=0XaN
-----END PGP SIGNATURE-----
--v541l457l4DTh
Debian Bug Importer (debzilla) wrote : | #16 |
Message-Id: <email address hidden>
Date: Sun, 13 Mar 2005 01:56:23 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>
Subject: tagging 299272
# Automatically generated email from bts, devscripts version 2.8.10
# fixed in Debian X Strike Force XFree86 repository; to view, run "svn diff -r 2216:2217 svn://necrotic.
tags 299272 + pending
Daniel Stone (daniels) wrote : | #17 |
fixed in both warty and hoary now
In Debian Bug tracker #299272, Branden Robinson (branden) wrote : Regarding xfree86 and CAN-2005-0609 | #18 |
Hi Joey,
xfree86's fix for CAN-2005-0609 has not yet been uploaded to
testing/unstable. I expect to make an upload soon, however; the packages
are currently in preparation, and you can view the current status of the
SVN trunk at:
http://
specifically:
http://
Please go ahead and do the advisory for woody's xfree86 once you're ready.
I've been working with vorlon regarding 4.3.0.dfsg.1-13, and there's no
reason to expect that release to not fix CAN-2005-0609.
--
G. Branden Robinson | Suffer before God and ye shall be
Debian GNU/Linux | redeemed. God loves us, so He
<email address hidden> | makes us suffer Christianity.
http://
In Debian Bug tracker #299272, Martin Schulze (joey-infodrom) wrote : | #19 |
Branden Robinson wrote:
> Hi Joey,
>
> xfree86's fix for CAN-2005-0609 has not yet been uploaded to
> testing/unstable. I expect to make an upload soon, however; the packages
> are currently in preparation, and you can view the current status of the
> SVN trunk at:
>
> http://
>
> specifically:
>
> http://
>
> Please go ahead and do the advisory for woody's xfree86 once you're ready.
> I've been working with vorlon regarding 4.3.0.dfsg.1-13, and there's no
> reason to expect that release to not fix CAN-2005-0609.
Understood. Do you want me to write that it'll be fixed in 4.3.0.dfsg.1-13
or should I write that it will be fixed soon?
Regards,
Joey
--
If nothing changes, everything will remain the same. -- Barne's Law
Please always Cc to me when replying to me on the lists.
In Debian Bug tracker #299272, Branden Robinson (branden) wrote : | #20 |
Joey,
You can write in the xfree86 DSA for CAN-2005-0609 that the sarge/sid
vulnerability will be fixed by xfree86 4.3.0.dfsg.1-13, which is currently
in preparation.
--
G. Branden Robinson | Never underestimate the power of
Debian GNU/Linux | human stupidity.
<email address hidden> | -- Robert Heinlein
http://
In Debian Bug tracker #299272, Fabio Massimo Di Nitto (fabbione) wrote : Bug#299272: fixed in xfree86 4.3.0.dfsg.1-13 | #21 |
Source: xfree86
Source-Version: 4.3.0.dfsg.1-13
We believe that the bug you reported is fixed in the latest version of
xfree86, which is due to be installed in the Debian FTP archive:
lbxproxy_
to pool/main/
libdps-
to pool/main/
libdps1-
to pool/main/
libdps1_
to pool/main/
libice-
to pool/main/
libice6-
to pool/main/
libice6_
to pool/main/
libsm-dev_
to pool/main/
libsm6-
to pool/main/
libsm6_
to pool/main/
libx11-
to pool/main/
libx11-
to pool/main/
libx11-
to pool/main/
libxaw6-
to pool/main/
libxaw6-
to pool/main/
libxaw6_
to pool/main/
libxaw7-
to pool/main/
libxaw7-
to pool/main/
libxaw7_
to pool/main/
libxext-
to pool/main/
libxext6-
to pool/main/
libxext6_
to pool/main/
libxft1-
to pool/main/
libxft1_
to pool/main/
libxi-dev_
to pool/main/
libxi6-
to pool/main/
libxi6_
to pool/main/
libxmu-
to pool/main/
libxmu6-
to pool/main/
libxmu6_
to pool/main/
libxmuu-
to pool/main/
libxmuu1-
to pool...
Changed in libxpm: | |
status: | Unknown → Fix Released |
tag 298939 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7 ebb5aa6ea449f27 e87 854 libs optional lesstif1- 1_0.93. 94-11.1. dsc 0cc06c5d5c5d150 1ed 63754 libs optional lesstif1- 1_0.93. 94-11.1. diff.gz f3df41a857122d2 817 342808 doc optional lesstif- doc_0.93. 94-11.1_ all.deb 337f552cd390fc8 7a0 693384 libs optional lesstif2_ 0.93.94- 11.1_i386. deb 059caac5e9abc9a 34c 615744 libs optional lesstif1_ 0.93.94- 11.1_i386. deb f70f6a24b5b96c5 ac9 960352 libdevel optional lesstif2- dev_0.93. 94-11.1_ i386.deb 493b984522fc4bd d63 829282 libdevel optional lesstif- dev_0.93. 94-11.1_ i386.deb f8d3a9b6f245dea 6f8 164350 x11 optional lesstif- bin_0.93. 94-11.1_ i386.deb
Date: Thu, 10 Mar 2005 16:34:21 -0500
Source: lesstif1-1
Binary: lesstif-bin lesstif2 lesstif-dev lesstif2-dev lesstif-doc lesstif1
Architecture: source i386 all
Version: 1:0.93.94-11.1
Distribution: unstable
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
lesstif-bin - user binaries for LessTif
lesstif-dev - development library and header files for LessTif 1.2
lesstif-doc - documentation for LessTif
lesstif1 - OSF/Motif 1.2 implementation released under LGPL
lesstif2 - OSF/Motif 2.1 implementation released under LGPL
lesstif2-dev - development library and header files for LessTif 2.1
Closes: 298939
Changes:
lesstif1-1 (1:0.93.94-11.1) unstable; urgency=HIGH
.
* NMU
* Apply fix for newest libXpm buffer overflows in lesstif1, involving a
negative bitmap_unit value. Fixed both lesstif1 and lesstif2.
Closes: #298939 (CAN-2005-0605)
Files:
a422c21d24213b
411faaae59989c
4ebc9aba7278d1
316c7354bcda42
46d7302f480f98
dea270bc7f7b3c
d582252380bc2c
e789bd635bf66b
-----BEGIN PGP SIGNATURE-----
5zXiKP0wRAlZoAK C3ClOMceDJFcyla iHeovTycZCrQgCe PHuf vhfnMG6uqFbuoE=
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCMPcK2tp
rp1259h6+
=HdVa
-----END PGP SIGNATURE-----