imlib: Vulnerable to GLSA 200412-03?

Reported by Debian Bug Importer on 2004-12-10
10
Affects Status Importance Assigned to Milestone
Debian
Fix Released
Unknown
Ubuntu
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #284925 http://bugs.debian.org/284925

CVE References

severity 284925 serious
thanks

This is CAN-2004-1026; please use that number in any changelog entry
fixing this bug.

Unfortunatly, the CAN entry currently has no more info than a pointer to
GLSA-200412-03. I dug around and found the redhat bug at
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138516

I was able to crash imlib1 using the image from here:
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=106366&action=view

--
see shy jo

Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #284925 http://bugs.debian.org/284925

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 9 Dec 2004 15:51:07 +0100
From: Andreas Metzler <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: imlib: Vulnerable to GLSA 200412-03?

Package: imlib,imlib+png2
Severity: normal
Tags: security,patch

Hello,
---------------------
http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml
Synopsis
Multiple overflows have been found in the imlib library image decoding
routines, potentially allowing execution of arbitrary code.

2. Impact Information

Background

imlib is an advanced replacement library for image manipulation libraries like
libXpm. It is called by numerous programs, including gkrellm and several window
managers, to help in displaying images.

Description

Pavel Kankovsky discovered that several overflows found in the libXpm library
(see GLSA 200409-34) also applied to imlib. He also fixed a number of other
potential flaws.

Impact

A remote attacker could entice a user to view a carefully-crafted image file,
which would potentially lead to execution of arbitrary code with the rights of
the user viewing the image. This affects any program that makes use of the
imlib library.
[...]
---------------------

Links:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138516
https://bugzilla.fedora.us/show_bug.cgi?id=2051#c11
Patch:
http://gd.tuwien.ac.at/platform/Linux/gentoo-portage/media-libs/imlib/files/imlib-1.9.14-sec2.patch
(does apply cleanly to imlib 1.9.14-17 and imlib+png2 1.9.14-16.)

I am submitting as normal because the given exploit
(http://scary.beasts.org/misc/doom.xpm) does not work for me, and I'd
rather not use an inflated severity.
                 cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 14:31:55 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: CAN-2004-1026

--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 284925 serious
thanks

This is CAN-2004-1026; please use that number in any changelog entry
fixing this bug.

Unfortunatly, the CAN entry currently has no more info than a pointer to
GLSA-200412-03. I dug around and found the redhat bug at
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D138516

I was able to crash imlib1 using the image from here:
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=3D106366&action=3Dvi=
ew

--=20
see shy jo

--ikeVEW9yuYc//A+q
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBufmrd8HHehbQuO8RAt4/AJ9BkwFgfIS3p5Tj958kLeirq1a4NwCeNo6X
IPaKIXbLOatCy5iSbXnG67I=
=OqbN
-----END PGP SIGNATURE-----

--ikeVEW9yuYc//A+q--

clone 284925 -1
tags -1 - patch
# cloning as there is no ready to apply patch for imlib2, the bits and
# pieces from the given one will probably need to be included manually
# in loaders/loader_xpm.c
reassign -1 imlib2
thanks

Joey Hess <email address hidden> wrote:
| I was able to crash imlib1 using the image from here:
| https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=106366&action=view

That one works with imlib2, too:
ametzler@downhill:/tmp$ LANG=C LD_ASSUME_KERNEL=2.4.1 gdb feh
[...]
(gdb) run imlib_die.xpm
[...]
Program received signal SIGSEGV, Segmentation fault.
0x4023a695 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x4023a695 in strcat () from /lib/libc.so.6
#1 0x40020180 in load () from /usr/lib/imlib2_loaders/image/xpm.so
#2 0xbffff6e0 in ?? ()
[...]
               cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 22:58:08 +0100
From: Andreas Metzler <email address hidden>
To: Joey Hess <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: CAN-2004-1026 applies to imlib2, too.

clone 284925 -1
tags -1 - patch
# cloning as there is no ready to apply patch for imlib2, the bits and
# pieces from the given one will probably need to be included manually
# in loaders/loader_xpm.c
reassign -1 imlib2
thanks

Joey Hess <email address hidden> wrote:
| I was able to crash imlib1 using the image from here:
| https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=106366&action=view

That one works with imlib2, too:
ametzler@downhill:/tmp$ LANG=C LD_ASSUME_KERNEL=2.4.1 gdb feh
[...]
(gdb) run imlib_die.xpm
[...]
Program received signal SIGSEGV, Segmentation fault.
0x4023a695 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x4023a695 in strcat () from /lib/libc.so.6
#1 0x40020180 in load () from /usr/lib/imlib2_loaders/image/xpm.so
#2 0xbffff6e0 in ?? ()
[...]
               cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

On 2004-12-09 Andreas Metzler <email address hidden> wrote:
> Package: imlib,imlib+png2
> Severity: normal
> Tags: security,patch

> Hello,
> ---------------------
> http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml
> Synopsis
> Multiple overflows have been found in the imlib library image decoding
> routines, potentially allowing execution of arbitrary code.
[...]

Applies to woody, too.
WOODYametzler@downhill:/tmp$ gdb ./imlib-example-woody
(gdb) run imlib_die.xpm
Starting program: /tmp/imlib-example-woody imlib_die.xpm
Program received signal SIGSEGV, Segmentation fault.
0x400b2464 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x400b2464 in strcat () from /lib/libc.so.6
#1 0x4001f44f in _LoadXPM () from /usr/lib/libImlib.so.1
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141

ii imlib1 1.9.14-2wody1 Imlib is an imaging library for X and X11
ii xlibs 4.1.0-16woody5 X Window System client libraries
                cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 11 Dec 2004 11:48:30 +0100
From: Andreas Metzler <email address hidden>
To: <email address hidden>
Subject: Re: Bug#284925: imlib: Vulnerable to GLSA 200412-03?

On 2004-12-09 Andreas Metzler <email address hidden> wrote:
> Package: imlib,imlib+png2
> Severity: normal
> Tags: security,patch

> Hello,
> ---------------------
> http://www.gentoo.org/security/en/glsa/glsa-200412-03.xml
> Synopsis
> Multiple overflows have been found in the imlib library image decoding
> routines, potentially allowing execution of arbitrary code.
[...]

Applies to woody, too.
WOODYametzler@downhill:/tmp$ gdb ./imlib-example-woody
(gdb) run imlib_die.xpm
Starting program: /tmp/imlib-example-woody imlib_die.xpm
Program received signal SIGSEGV, Segmentation fault.
0x400b2464 in strcat () from /lib/libc.so.6
(gdb) bt
#0 0x400b2464 in strcat () from /lib/libc.so.6
#1 0x4001f44f in _LoadXPM () from /usr/lib/libImlib.so.1
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141

ii imlib1 1.9.14-2wody1 Imlib is an imaging library for X and X11
ii xlibs 4.1.0-16woody5 X Window System client libraries
                cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

I've prepared an NMU for imlib based on the Red Hat patch, which I will
be uploading shortly; I've confirmed that imlib11 no longer segfaults
with the sample image after this patch is applied.

Note that the Red Hat patch includes a typo (semicolon at the end of an
if) that almost certainly leaves a hole open; this has been corrected in
the attached patch.

Thanks,
--
Steve Langasek
postmodern programmer

tag 284925 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 16 Dec 2004 05:57:41 -0800
Source: imlib
Binary: imlib11 imlib11-dev
Architecture: source i386
Version: 1.9.14-17.1
Distribution: unstable
Urgency: high
Maintainer: Steve M. Robbins <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Description:
 imlib11 - Imlib is an imaging library for X and X11
 imlib11-dev - Imlib is an imaging library for X and X11
Closes: 284925
Changes:
 imlib (1.9.14-17.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * High-urgency upload for sarge-targetted RC bugfix
   * CAN-2004-1026: fix various overflows in image decoding routines.
     Closes: #284925.
Files:
 d585194cae8f045f154483b25a535308 718 graphics optional imlib_1.9.14-17.1.dsc
 9b39a9987e9e83041b9a5ea504df9bf6 153013 graphics optional imlib_1.9.14-17.1.diff.gz
 02ceef8f9a47ca7282b8ceecce49ed5e 80792 libs optional imlib11_1.9.14-17.1_i386.deb
 ce9868ba61f3f5f616ec664a214c85c6 87408 libdevel optional imlib11-dev_1.9.14-17.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBw2tVKN6ufymYLloRApCfAKCDZRjNzyRaJf+p2X050zV0rSuF0QCfR/VX
PBx0CdFNpQywQ4ingTUjm+M=
=x3VC
-----END PGP SIGNATURE-----

Debian Bug Importer (debzilla) wrote :
Download full text (14.2 KiB)

Message-ID: <email address hidden>
Date: Fri, 17 Dec 2004 15:26:43 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: imlib: Vulnerable to GLSA 200412-03?

--65ImJOski3p8EhYV
Content-Type: multipart/mixed; boundary="WBsA/oQW3eTA3LlM"
Content-Disposition: inline

--WBsA/oQW3eTA3LlM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I've prepared an NMU for imlib based on the Red Hat patch, which I will
be uploading shortly; I've confirmed that imlib11 no longer segfaults
with the sample image after this patch is applied.

Note that the Red Hat patch includes a typo (semicolon at the end of an
if) that almost certainly leaves a hole open; this has been corrected in
the attached patch.

Thanks,
--=20
Steve Langasek
postmodern programmer

--WBsA/oQW3eTA3LlM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="imlib-284925.diff"
Content-Transfer-Encoding: quoted-printable

diff -u imlib-1.9.14/Imlib/load.c imlib-1.9.14/Imlib/load.c
--- imlib-1.9.14/Imlib/load.c
+++ imlib-1.9.14/Imlib/load.c
@@ -4,6 +4,8 @@
 #include "Imlib_private.h"
 #include <setjmp.h>
=20
+#define G_MAXINT ((int) 0x7fffffff)
+
 /* Split the ID - damages input */
=20
 static char *
@@ -41,13 +43,17 @@
=20
 /*
  * Make sure we don't wrap on our memory allocations
+ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp
+ * + 3 is safety margin
  */
=20
 void * _imlib_malloc_image(unsigned int w, unsigned int h)
 {
- if( w > 32767 || h > 32767)
+ if (w <=3D 0 || w > 32767 ||
+ h <=3D 0 || h > 32767 ||
+ h >=3D (G_MAXINT/4 - 1) / w)
                return NULL;
- return malloc(w * h * 3);
+ return malloc(w * h * 3 + 3);
 }
=20
 #ifdef HAVE_LIBJPEG
@@ -360,7 +366,9 @@
   npix =3D ww * hh;
   *w =3D (int)ww;
   *h =3D (int)hh;
- if(ww > 32767 || hh > 32767)
+ if (ww <=3D 0 || ww > 32767 ||
+ hh <=3D 0 || hh > 32767 ||
+ hh >=3D (G_MAXINT/sizeof(uint32)) / ww)
     {
        TIFFClose(tif);
        return NULL;
@@ -463,7 +471,7 @@
      }
    *w =3D gif->Image.Width;
    *h =3D gif->Image.Height;
- if (*h > 32767 || *w > 32767)
+ if (*h <=3D 0 || *h > 32767 || *w <=3D 0 || *w > 32767)
      {
         return NULL;
      }
@@ -965,7 +973,12 @@
   comment =3D 0;
   quote =3D 0;
   context =3D 0;
+ memset(lookup, 0, sizeof(lookup));
+
   line =3D malloc(lsz);
+ if (!line)
+ return NULL;
+
   while (!done)
     {
       pc =3D c;
@@ -994,25 +1007,25 @@
   {
     /* Header */
     sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
- if (ncolors > 32766)
+ if (ncolors <=3D 0 || ncolors > 32766)
       {
         fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not sup=
ported\n");
         free(line);
         return NULL;
       }
- if (cpp > 5)
+ if (cpp <=3D 0 || cpp > 5)
       {
         fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel =
> 5 not supported\n");
         free(line);
         return NULL;
       }
- if (*w > 32767)
+ if (*w <=3D 0 || *w > 32767)
     ...

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Fri, 17 Dec 2004 18:47:05 -0500
From: Steve Langasek <email address hidden>
To: <email address hidden>
Cc: Steve Langasek <email address hidden>, <email address hidden> (Steve M. Robbins)
Subject: Fixed in NMU of imlib 1.9.14-17.1

tag 284925 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 16 Dec 2004 05:57:41 -0800
Source: imlib
Binary: imlib11 imlib11-dev
Architecture: source i386
Version: 1.9.14-17.1
Distribution: unstable
Urgency: high
Maintainer: Steve M. Robbins <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Description:
 imlib11 - Imlib is an imaging library for X and X11
 imlib11-dev - Imlib is an imaging library for X and X11
Closes: 284925
Changes:
 imlib (1.9.14-17.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * High-urgency upload for sarge-targetted RC bugfix
   * CAN-2004-1026: fix various overflows in image decoding routines.
     Closes: #284925.
Files:
 d585194cae8f045f154483b25a535308 718 graphics optional imlib_1.9.14-17.1.dsc
 9b39a9987e9e83041b9a5ea504df9bf6 153013 graphics optional imlib_1.9.14-17.1.diff.gz
 02ceef8f9a47ca7282b8ceecce49ed5e 80792 libs optional imlib11_1.9.14-17.1_i386.deb
 ce9868ba61f3f5f616ec664a214c85c6 87408 libdevel optional imlib11-dev_1.9.14-17.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBw2tVKN6ufymYLloRApCfAKCDZRjNzyRaJf+p2X050zV0rSuF0QCfR/VX
PBx0CdFNpQywQ4ingTUjm+M=
=x3VC
-----END PGP SIGNATURE-----

tag 284925 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 17 Dec 2004 23:33:23 -0800
Source: imlib+png2
Binary: gdk-imlib1 imlib-progs gdk-imlib1-dev imlib1 imlib1-dev imlib-base
Architecture: source i386 all
Version: 1.9.14-16.1
Distribution: unstable
Urgency: high
Maintainer: Steve M. Robbins <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Description:
 gdk-imlib1 - imaging library for use with gtk (using libpng2)
 gdk-imlib1-dev - Header files needed for Gdk-Imlib development (using libpng2)
 imlib-base - Common files needed by the Imlib/Gdk-Imlib packages
 imlib-progs - Configuration program for Imlib and GDK-Imlib
 imlib1 - imaging library for X and X11 (using libpng2)
 imlib1-dev - Header files needed for Imlib development (using libpng2)
Closes: 284925
Changes:
 imlib+png2 (1.9.14-16.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * High-urgency upload for sarge-targetted RC bugfix
   * CAN-2004-1026: fix various overflows in image decoding routines.
     Closes: #284925.
Files:
 e63e257fa7686c971b5fd549fc7a71e9 844 graphics optional imlib+png2_1.9.14-16.1.dsc
 a85cae6e6c1ed40cf673a8d8b64148e8 144009 graphics optional imlib+png2_1.9.14-16.1.diff.gz
 03d7e5dc5a709004c45217919c6d46c8 119606 graphics optional imlib-base_1.9.14-16.1_all.deb
 85cf5bd738743939994fac1054e25c29 261598 graphics optional imlib-progs_1.9.14-16.1_i386.deb
 3da22542142634c49a9a371797f486d6 77140 oldlibs optional imlib1_1.9.14-16.1_i386.deb
 bb25a71304e4d4abfaee8850bee77c94 79790 oldlibs optional imlib1-dev_1.9.14-16.1_i386.deb
 d1bd1913c98ff89c7a2124aa546969a8 86576 oldlibs optional gdk-imlib1_1.9.14-16.1_i386.deb
 24a28e3d2eb559c728ae3bb8d1ea7761 69360 oldlibs optional gdk-imlib1-dev_1.9.14-16.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBw+GwKN6ufymYLloRAqIuAKCBPXVxEhFZvvHDf+hfsItk2+kXCACgp/j5
OI+2aI6x0vP5qleGmknBlWM=
=yGmn
-----END PGP SIGNATURE-----

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sat, 18 Dec 2004 03:02:05 -0500
From: Steve Langasek <email address hidden>
To: <email address hidden>
Cc: Steve Langasek <email address hidden>, <email address hidden> (Steve M. Robbins)
Subject: Fixed in NMU of imlib+png2 1.9.14-16.1

tag 284925 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 17 Dec 2004 23:33:23 -0800
Source: imlib+png2
Binary: gdk-imlib1 imlib-progs gdk-imlib1-dev imlib1 imlib1-dev imlib-base
Architecture: source i386 all
Version: 1.9.14-16.1
Distribution: unstable
Urgency: high
Maintainer: Steve M. Robbins <email address hidden>
Changed-By: Steve Langasek <email address hidden>
Description:
 gdk-imlib1 - imaging library for use with gtk (using libpng2)
 gdk-imlib1-dev - Header files needed for Gdk-Imlib development (using libpng2)
 imlib-base - Common files needed by the Imlib/Gdk-Imlib packages
 imlib-progs - Configuration program for Imlib and GDK-Imlib
 imlib1 - imaging library for X and X11 (using libpng2)
 imlib1-dev - Header files needed for Imlib development (using libpng2)
Closes: 284925
Changes:
 imlib+png2 (1.9.14-16.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * High-urgency upload for sarge-targetted RC bugfix
   * CAN-2004-1026: fix various overflows in image decoding routines.
     Closes: #284925.
Files:
 e63e257fa7686c971b5fd549fc7a71e9 844 graphics optional imlib+png2_1.9.14-16.1.dsc
 a85cae6e6c1ed40cf673a8d8b64148e8 144009 graphics optional imlib+png2_1.9.14-16.1.diff.gz
 03d7e5dc5a709004c45217919c6d46c8 119606 graphics optional imlib-base_1.9.14-16.1_all.deb
 85cf5bd738743939994fac1054e25c29 261598 graphics optional imlib-progs_1.9.14-16.1_i386.deb
 3da22542142634c49a9a371797f486d6 77140 oldlibs optional imlib1_1.9.14-16.1_i386.deb
 bb25a71304e4d4abfaee8850bee77c94 79790 oldlibs optional imlib1-dev_1.9.14-16.1_i386.deb
 d1bd1913c98ff89c7a2124aa546969a8 86576 oldlibs optional gdk-imlib1_1.9.14-16.1_i386.deb
 24a28e3d2eb559c728ae3bb8d1ea7761 69360 oldlibs optional gdk-imlib1-dev_1.9.14-16.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBw+GwKN6ufymYLloRAqIuAKCBPXVxEhFZvvHDf+hfsItk2+kXCACgp/j5
OI+2aI6x0vP5qleGmknBlWM=
=yGmn
-----END PGP SIGNATURE-----

tags 284925 +woody sarge
tags 284925 -fixed
thanks

As expected, the previously supplied patch applies equally well to
imlib+png2, requiring only an edit of debian/changelog.

An NMU of this package has also been uploaded, so this bug now only applies
to sarge and woody (and only to the imlib package in the latter case).

Thanks,
--
Steve Langasek
postmodern programmer

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 00:47:54 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: imlib: Vulnerable to GLSA 200412-03?

--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 284925 +woody sarge
tags 284925 -fixed
thanks

As expected, the previously supplied patch applies equally well to
imlib+png2, requiring only an edit of debian/changelog.

An NMU of this package has also been uploaded, so this bug now only applies
to sarge and woody (and only to the imlib package in the latter case).

Thanks,
--=20
Steve Langasek
postmodern programmer

--AhhlLboLdkugWU4S
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBw+62KN6ufymYLloRAosZAKC8VAazaIGN1sN5qsp+8V50EwhvrwCg0b4G
4+XGaXEY8KQ7WUrlsIHPtsM=
=N8kf
-----END PGP SIGNATURE-----

--AhhlLboLdkugWU4S--

# both imlib+png2 1.9.14-16.1 and imlib 1.9.14-17.1 have propagated to
# sarge
tags 284925 - sarge
thanks
              cu andreas

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 21 Dec 2004 22:44:15 +0100
From: Andreas Metzler <email address hidden>
To: <email address hidden>
Subject: NMU fixing these bugs has propagated to sarge

# both imlib+png2 1.9.14-16.1 and imlib 1.9.14-17.1 have propagated to
# sarge
tags 284925 - sarge
thanks
              cu andreas

FWIW: These is problems have been assigned both CAN-2004-1025 and CAN-2004-1026.

Regards,

 Joey

--
Open source is important from a technical angle. -- Linus Torvalds

Please always Cc to me when replying to me on the lists.

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 19:18:05 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CVE ids

FWIW: These is problems have been assigned both CAN-2004-1025 and CAN-2004-1026.

Regards,

 Joey

--
Open source is important from a technical angle. -- Linus Torvalds

Please always Cc to me when replying to me on the lists.

Martin Pitt (pitti) wrote :

*** Bug 11118 has been marked as a duplicate of this bug. ***

Martin Pitt (pitti) wrote :

Fixed in Warty:

 imlib+png2 (1.9.14-16ubuntu1.1) warty-security; urgency=low
 .
   * SECURITY UPDATE: fix several buffer and integer overflows in image
     decoding routines (Ubuntu bug #11113)
   * Thanks to Pavel Kankovsky for discovering this and the patch
   * References:
     CAN-2004-1025, CAN-2004-1026
     http://bugs.debian.org/284925

Sync requested for Hoary.

This affects imlib2, too, so I leave the bug open for now.

Martin Pitt (pitti) wrote :

I notified upstream and asked about the status about this.

Martin Pitt (pitti) wrote :

(In reply to comment #12)
> This affects imlib2, too, so I leave the bug open for now.

Fixed in Warty in imlib2_1.1.0-12ubuntu2.1
Fixed in Hoary in imlib2_1.1.2-2ubuntu1

tag 284925 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 6 Jan 2005 16:29:53 -0500
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source i386
Version: 1.1.2-2.1
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
 libimlib2 - powerful image loading and rendering library
 libimlib2-dev - Imlib2 development files
Closes: 284925
Changes:
 imlib2 (1.1.2-2.1) unstable; urgency=HIGH
 .
   * NMU with the following changes taken from the Ubuntu patch by Martin Pitt
     Closes: #284925
   * SECURITY UPDATE: fix several buffer overflows
   * loaders/loader_bmp.c: check for negative image width/height
   * loaders/loader_xpm.c:
     - check for negative image attributes
     - check the length of the "col" buffer to avoid overflowing it
     - patch taken from upstream CVS
   * References:
     CAN-2004-1025
     CAN-2004-1026
Files:
 4e044b53efef6571d6754f660b04e1be 730 libs optional imlib2_1.1.2-2.1.dsc
 f7544bcfd3e37b180cb664b4bc2a193e 81653 libs optional imlib2_1.1.2-2.1.diff.gz
 e8042c1cc46f7ffd464d65e6287c31e4 188690 libs optional libimlib2_1.1.2-2.1_i386.deb
 ccccd58406e6dbdce73724d5b9ff03e2 605216 libdevel optional libimlib2-dev_1.1.2-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB3bIe2tp5zXiKP0wRAsLGAKDAQ21pewzIoMo0cT/CqVduBdQHVACgyqEg
yWkZ3yo0hIubBkIahMZjHQs=
=uH3I
-----END PGP SIGNATURE-----

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 06 Jan 2005 17:02:07 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>, <email address hidden> (Laurence J. Lane)
Subject: Fixed in NMU of imlib2 1.1.2-2.1

tag 284925 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 6 Jan 2005 16:29:53 -0500
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source i386
Version: 1.1.2-2.1
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
 libimlib2 - powerful image loading and rendering library
 libimlib2-dev - Imlib2 development files
Closes: 284925
Changes:
 imlib2 (1.1.2-2.1) unstable; urgency=HIGH
 .
   * NMU with the following changes taken from the Ubuntu patch by Martin Pitt
     Closes: #284925
   * SECURITY UPDATE: fix several buffer overflows
   * loaders/loader_bmp.c: check for negative image width/height
   * loaders/loader_xpm.c:
     - check for negative image attributes
     - check the length of the "col" buffer to avoid overflowing it
     - patch taken from upstream CVS
   * References:
     CAN-2004-1025
     CAN-2004-1026
Files:
 4e044b53efef6571d6754f660b04e1be 730 libs optional imlib2_1.1.2-2.1.dsc
 f7544bcfd3e37b180cb664b4bc2a193e 81653 libs optional imlib2_1.1.2-2.1.diff.gz
 e8042c1cc46f7ffd464d65e6287c31e4 188690 libs optional libimlib2_1.1.2-2.1_i386.deb
 ccccd58406e6dbdce73724d5b9ff03e2 605216 libdevel optional libimlib2-dev_1.1.2-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB3bIe2tp5zXiKP0wRAsLGAKDAQ21pewzIoMo0cT/CqVduBdQHVACgyqEg
yWkZ3yo0hIubBkIahMZjHQs=
=uH3I
-----END PGP SIGNATURE-----

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sat, 5 Mar 2005 16:46:59 +0900 (KST)
From: =?ISO-2022-JP?B?GyRCPXc7UiUiJUo0aT1QJDcbKEI=?= <email address hidden>
To: <email address hidden>
To: <email address hidden>
Subject: =?ISO-2022-JP?B?GyRCOWIheyUiJUokLCQqR3EkaiNGI1UjQyNLInYbKEI=?=

�������������������������������������[���}�K�W���~�������������
�������@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@��
�����@�������‚��ɗ��o�I�H���̏��q�A�i�̖{�����B�f���������@�@ ����
���@�@�@�@�@�@�����������������������������������������@�@�@�@������
�@�@�@http://tv.puchiphoto.org/?261941er9r
��������������������������������������������������������������
�������������@�@�ɔ���!!���S�����܂����f���@�@�@��������������
��������������������������������������������������������������
�@
���@�@���A�����������̐��X�c�����܂Ŗ{���Ɍ����Ă��܂�Ă����̂��I�H
�@���@�J�������������炸�A���R�Ƒ��ȍs��������B�B
��
�@���@���́��������q�A�i�̃v���C�x�[�g�ȕ�������������ی����Ɂc�B
��
�@���@���̑��啨�^�����g�A�O���r�A�A�C�h���܂ł����X�Ɖa�H�ɂȂ�čs���B�B�B

�@�@�@http://tv.puchiphoto.org/?261941er9r
��������������������������������������������������������������
�BoO��Oo�BoO��Oo�B�BoO��Oo�BoO��Oo�B�BoO��Oo�BoO��Oo�B�BoO��Oo�B
�����T�̃C�`�I�V!!!
���������܂ł̌����u�Ԃ΂����W�߂����Q������o��
��
���ŐV�̃n�C�e�N�@�����������
���������v�T���̃J������u���Ă̗l�X�ȃA���O�������`�ʂɐ����������炵���قǍI���Ȉʒu�����X�i�b�v�V���b�g�́A���x���Q!!!

      http://tv.puchiphoto.org/?261941er9r
  �E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E���̉f���̏Ռ��ɃA�i�^�͂ǂ��܂őς����邩�H
��������
�@���������@�@�@���i�͂��Ԃ������Ȃ��ޏ��B���@�@�@�@�@�@�@�@�@�@�@��������
�@�@���������@�@�@�@�@�@�@�`���Ă͂����Ȃ�������炯�o���@�@�@�@�@��������
�@�@�@���������@�@�@�@���̂Ƃ��Ƃ��������ڂ̑O�Ɂ@�@�@�@�@��������
�@�@�@�@���������@�@�@�@�͂����ăA�i�^�͂������邩�c�@�@�@�@�@�@��������
�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@ ��������
��������������������������������������������������������������
�`���Ă͂����Ȃ��֒f�̐��E ��������������������������������������
��������������������������
�J�[�Z�b�N�XVS�z�e�����B
�l�C�̂Ȃ��ꏊ�ŌJ�����������s���̐��X�c
�����x�ԊO����ƒ����^�B���J�����������ߋ��������B�e�ɐ������̂��܂��߂��ɕ\���Ńo�b�`�����@�@�@http://tv.puchiphoto.org/?261941er9r
��������������������������������������������������������������
�����[���}�K�W���~�����E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E

�E�~���̓��[���}�K�W���̔z�M�X�^���h�ƂȂ�Ă����o�^���l���@���I�Ƀ��[���}�K�W����M���Ă������B
�E���ǂ͂��Љ��̃T�C�g�ɂ����邢���Ȃ����u���⑹�Q�ɑ΂��Ă�@���̐ӔC������˂܂��B
�E�f�ڏ��Ɋւ��Ă̂������͉����Ă���������@�\�߂������������B
�E�����[���}�K�W���Ɍf�ڂ��ꂽ�L���̈ꕔ�܂��͑S�������‚Ȃ��]�ڂ��邱�Ƃ�~�v���܂��B
�E �g�Ɋo���̂Ȃ��z�M�͂��������”\�����������܂�
�@�w�lj���̕����萔�ł������L�̃A�h���X�����O�C�����A
�@�����g�ł��葱���������B
�@
�@�@http://rin.m-blue.org/umeya/
��������������������������������������������������������������
��������������������������������������������������������������

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sun, 13 Mar 2005 03:09:24 -0800
From: "sadfa" <email address hidden>
Subject: =?GB2312?B?gsOCrY2hk/qCzYNjg0OCxILIgqKCyIKfgsGCxJP6gqCC6ILcgreC5oLLgUmB?=

 =?GB2312?B?SA==?=
To: <email address hidden>
Content-Type: text/plain;charset="EUC"
Reply-To: <email address hidden>
Date: Sun, 13 Mar 2005 19:09:25 +0800
X-Priority: 3
X-Mailer: FoxMail 4.0 beta 2 [cn]

�T�C�t�Ȃ������������ޏ������ƃP���J����������D���Ȑl�ɍ��������̂Ƀt���ꂿ�����肻��Ƃ�
���Ȃ��Ȃ������܂����H�Ȃ��Ȃ��ӂ�������Ƃ��c
���ŔY�܂Ȃ��ł�����Ă݂āI�I�����ɂȂ邩���I
http://beauti-channel.com/l-f/
�l�̉\�����H�Ȃ�H����^�
�\��ċ����ł����I�H���̃��[�����O���B�̂��̖����E���������Ƃ��I�I
http://love-game-dream.com/uwasa2

�c�C�Ă��͂�����<email address hidden>

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Mon, 14 Mar 2005 17:56:44 -0800
From: "sada" <email address hidden>
Subject: =?GB2312?B?gUaRsZXSgsWCt4FCg2qDUoNiICiBS4GkgUspdiiBS4GkgUspdiBvKIFLgaSB?=

 =?GB2312?B?SylvIINDg0aBW4NDISE=?=
To: <email address hidden>
Content-Type: text/plain;charset="EUC"
Reply-To: <email address hidden>
Date: Tue, 15 Mar 2005 09:56:47 +0800
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2600.0000

�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`
����\�I����E���T�I�����W�߂Č��܂���!!
�ޏ������ɂ��Ћ����Ă����ĂˁI
����������U�߂���ȁI�H
�L���o�����q����ł��j�I�H
�s�ϑ����Z�t���ł������H
�_��Ă��邠�̃R���������c
���ꂩ���荇�����̃R�ɉ����Ă����Ƃ��������I
http://miwaku-fruit.com/apple/
�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`�E�`
�����̖�����<email address hidden>
�܂Ń��[�����������B

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Tue, 15 Mar 2005 19:37:57 -0800
From: "safa" <email address hidden>
Subject: =?GB2312?B?gUaOR4p3kWaQsILngrWCoiEhkm2Or4KggumQbILBgsSCt4KygqKCyIFggsGC?=

 =?GB2312?B?xI52gqKC3IK3guaCyyE/?=
To: <email address hidden>
Content-Type: text/plain;charset="EUC"
Reply-To: asfas@.com
Date: Wed, 16 Mar 2005 11:38:00 +0800
X-Priority: 3
X-Mailer: FoxMail 4.0 beta 2 [cn]

�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/
�������ŎG�w�̂��b�����l�e!!
���̕Ћ����������ŁA
�����������ł����Ɠ������炢������!!
http://peach-naturalwater.com/that2v4/
���肰�ȁ`���������Ă݂悤!!
���肰�ȁ`�����������ɕ��������Ⴄ����
http://peach-naturalwater.com/that2v4/
�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/�Q/
�z�M����<email address hidden>

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sat, 09 Apr 2005 06:40:32 -0700
From: "wriuiouewe" <email address hidden>
Subject: =?GB2312?B?gZ+Bno1zgquP6oLMgsiCojMwkeOlpaWJ34uOgvCC04LogqmCpoLrgqeBnoGf?=

 =?GB2312?B?gZ6BPw==?=
To: <email address hidden>
Content-Type: text/plain;charset="EUC"
Reply-To: <email address hidden>
Date: Sat, 9 Apr 2005 21:40:21 +0800
X-Priority: 3
X-Mailer: Microsoft Outlook Express 5.00.2615.200

��������������������������������������������������������������������
(ToT)/~~~
http://members.tripod.com/kusako

http://members.tripod.com/kusako
��������������������������������������
�Q�[���E�H�b�`�m���

��������������������������������������������������������������������

���[�����ۂ͂������ŁB
<email address hidden>
********************************************************************

This package has been removed from sid and etch, so the bugs are no
longer applicable.

# Automatically generated email from bts, devscripts version 2.9.20
 # maybe keep that one
reopen 284925

# Hi,
#
# These bugs were fixed in an NMU, but have not been acknowledged by the
# maintainers. With version tracking in the Debian BTS, it is important
# to know which version of a package fixes each bug so that they can be
# tracked for release status, so I'm closing these bugs with the
#relevant version information now

close 271146 2.10c-3.1
close 271221 0.9.14-1.1
close 273411 0.9.14-1.1
close 271673 6:6.0.6.2-1.3
close 271956 1.0-7.1
close 272245 2.04-11.2
close 273043 5.0.13-0.1
close 273338 1.2-4.2
close 273357 0.16.14-1.2
close 271221 0.9.14-1.1
close 273411 0.9.14-1.1
close 273613 1.0.5-1.1
close 273800 1.3-0.1
close 274087 2.1.19-1.2
close 275431 2.1.19-1.2
close 274106 1:19970918-12.2
close 274501 0.99.16-1.1
close 274503 0.99.17-2.1
close 274507 0.4-9.1
close 274955 0.3.35.1
close 275432 1.5.28-6.2
close 276637 2.1.19-1.4
close 276825 3.8.3-4.1
close 276851 0.61-6.1
close 278001 0.99.17-2.2
close 279483 6.1
close 279484 1.1
close 280309 1.5-9.1
close 212905 1.5-9.1
close 235681 1.5-9.1
close 236463 1.5-9.1
close 280337 3.2.0.115-7.1
close 356855 3.2.0.115-7.1
close 281282 0.9.3-2
close 282879 2.04-11.1
close 300174 1.0.0b-4.1
close 283756 0.63-1.2
close 284741 0.1.18-1.2
close 284872 0.70-pre20031121-2.1
close 284925 1.1.2-2.1
close 285058 1.2-7.1
close 347152 0.9.7.1+cvs20050803-1.1
close 285528 2.3.11-1.1
close 322368 2.3.11-1.1
close 285605 2.1.19-1.6
close 285628 0.8.3-1.1
close 285762 0.94-7woody4
close 289464 0.94-7woody4
close 285889 0.98.38-1.1
close 285902 20050625-0.1
close 285918 3.06-9.1
close 288966 3.06-9.1
close 326367 3.06-9.1
close 346671 3.06-9.1
close 286309 1:0.5.0-1.1
close 286633 1:0.5.0-1.1
close 286492 2.5.7-3
close 329499 2.5.7-3
close 287059 2.0.12-1.1
close 287066 2.1.1-3.1
close 314008 2.1.1-3.1
close 327992 2.1.1-3.1
close 287190 1.99.11-1.1
close 287628 0.6-10.1
close 323728 0.6-10.1
close 287629 2.0b3-13.1
close 287639 0.6.2-2.1
close 287677 1.4.8-9.1
close 206905 0.7-7.1
close 221950 0.7-7.1
close 287749 0.7-7.1
close 296526 0.7-7.1
close 317259 0.7-7.1
close 287886 0.4.2+cvs.2004.02.20-1.1
close 336046 0.4.2+cvs.2004.02.20-1.1
close 287891 2.1.8-2.1
close 326106 2.1.8-2.1
close 275651 0.6.0-8.1
close 287923 0.6.0-8.1
close 313937 0.6.0-8.1
close 324839 0.6.0-8.1
close 288158 200300506-1.1
close 288441 1.0.8-1.1
close 336944 1.0.8-1.1
close 288536 0.0.7E6F3-4.1
close 290390 0.0.7E6F3-4.1
close 295080 0.0.7E6F3-4.1
close 318375 0.0.7E6F3-4.1
close 288819 0.1.5.9+cvs.2004.02.07-3.2
close 288834 0.2.1-1.1
close 307036 0.2.1-1.1
close 322985 0.2.1-1.1
close 322993 0.2.1-1.1
close 288925 0.9.5+really0.9.6pre4-1.1

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.