Changes to imlib2 in recent security update causes digikam breakage

Do you use the oficial repositories?

Dnia sobota 04 listopada 2006 20:20, Javier Jardón napisał:
>Do you use the oficial repositories?
>
>** Changed in: imlib2 (Ubuntu)
> Status: Unconfirmed => Needs Info

Of course! It's a clean new installation of Edgy only with security
upgrades.

As I said former library version is ok. It seems security patch broke it.

This version of package isn't in the repositories (and i haven't it)

http://packages.ubuntu.com/edgy/libs/libimlib2

>This version of package isn't in the repositories (and i haven't it)
>
>http://packages.ubuntu.com/edgy/libs/libimlib2

Are you kidding? :P

xargos@wodka:~$ LANG=C apt-cache policy libimlib2
libimlib2:
  Installed: 1.2.1-2ubuntu1
  Candidate: 1.2.1-2ubuntu1.1
  Version table:
     1.2.1-2ubuntu1.1 0
        500 http://security.ubuntu.com edgy-security/main Packages
 *** 1.2.1-2ubuntu1 0
        500 cdrom://Kubuntu 6.10 _Edgy Eft_ - Release i386 (20061025.1) edgy/main Packages
        500 http://pl.archive.ubuntu.com edgy/main Packages
        100 /var/lib/dpkg/status

Look at edgy-security!

It seems there are new bug reports connected with this one:

#70400
#70405

I'm seeing this bug too and I'm not even on edgy. I'm still on 6.06 LTS.

Apparently one of the recent standard security updates (via adept) broke digikam for me.

My digikam is:

<code>
$ digikam --version
Qt: 3.3.6
KDE: 3.5.3
digiKam: 0.8.2-rc1
</code>

Some images show completely black in the digikam viewer. All thumbnails in the main digikam window display ok. Only the full size images _sometime_ don't display. It is hard to say exactly when and give a "how to reproduce" recipe. Sometimes restarting and starting with a different image in the collection would make the image appear fine. Then after some back/forward navigation using either Page Up/Down keys or the arrow buttons, some images fail to display (displayed as all black).

I think the priority here should be raised.

->confirmed as reported by multiple people

Everybody is saying this is a recent regression caused by the security update to imlib2 which went out on 3rd November 2006. The dapper changelog is as follows:

imlib2 (1.2.1-2ubuntu0.1) dapper-security; urgency=low

  * SECURITY UPDATE: multiple overflows found in image loaders allowing
    for arbitrary code execution.
  * Add 'debian/patches/99_loader_overflows.patch': bounds check image
    sizes in argb, jpeg, lbm, png, pnm, tga, and tiff loaders.
  * References
    CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809

 -- Kees Cook <email address hidden> Fri, 3 Nov 2006 12:37:22 -0800

I think it is only jpg images that is a problem. I've tested with some png and tiff images (just a quick and dirty test) and the problem didn't occur with them.

Can you attach some images that do not load with imlib2? When testing with the "feh" tool, I was not able to reproduce this with any of the image types I tested.

Here are 2 images that fails here. I don't think has anything to do with any specific images though.

Second image. The original images was taken with a Nikon D80 and have since been resized with Imagemagick.

Thanks! If I add these images to digikam with the earlier imlib2, and then view them with the new imlib2, I see the reported behavior. What's strange is that "feh" has no problem with them. I will investigate. Sorry for the breakage, I'll get it sorted out!

This is for sure an imlib2 regression due to the security update, so I'm rejecting the digikam portion of the ticket.

A new security release is being uploaded now which fixes the problem with JPG handling, and should be available shortly.

>A new security release is being uploaded now which fixes the problem
>with JPG handling, and should be available shortly.
>
>** Changed in: imlib2 (Ubuntu)
> Assignee: (unassigned) => Kees Cook
> Status: Confirmed => Fix Committed

It works! Thx for fast reaction.

Yes. Upgrading to libimlib2_1.2.1-2ubuntu1.2 fixes
the problem. Thx!

Works here as well!

Thanks a lot!

http://www.ubuntu.com/usn/usn-376-2

Would it be possible to have a fix for the broken Dapper / 6.06 LTS too?
Thanks!

> have a fix for the broken Dapper too?

This is now fixed on Dapper for me.