Comment 2 for bug 7937

Message-Id: <E1C6bC3-0000kw-Vy@legolas>
Date: Sun, 12 Sep 2004 22:43:27 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libimlib2: BMP remote heap overflow in imlib2

Package: libimlib2
Version: 1.1.0-12.3
Severity: grave
Tags: security
Justification: user security hole

The infamous BMP remote heap overflow, which is already fixed for
imlib+png is also present in imlib2:

The recently released upstream version 1.1.2 fixes the problem:

> Tue Aug 31 11:46:49 JST 2004
> (Raster)
>
> Fixed bmp security issue.
> New IFF ILBM loader
> Up to 1.1.2

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro

Versions of packages libimlib2 depends on:
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.2 FreeType 2 font engine, shared lib
ii libjpeg62 6b-9 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.5.0-7 PNG library - runtime
ii libtiff4 3.6.1-1.1 Tag Image File Format library
ii libungif4g 4.1.3-1 shared library for GIF images (run
ii libx11-6 4.3.0.dfsg.1-7 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-7 X Window System miscellaneous exte
ii xlibs 4.3.0.dfsg.1-7 X Window System client libraries m
ii zlib1g 1:1.2.1.1-7 compression library - runtime

-- no debconf information