Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 248057 (CVE-2008-5187) - media-libs/imlib2<=1.4.2 XPM loader buffer overflow (CVE-2008-5187)
Summary: media-libs/imlib2<=1.4.2 XPM loader buffer overflow (CVE-2008-5187)
Status: RESOLVED FIXED
Alias: CVE-2008-5187
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-21 21:05 UTC by Stefan Behte (RETIRED)
Modified: 2008-12-23 22:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-21 21:05:02 UTC
CVE-2008-5187 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5187):
  The load function in the XPM loader for imlib2 1.4.2, and possibly
  other versions, allows attackers to cause a denial of service (crash)
  and possibly execute arbitrary code via a crafted XPM file that
  triggers a "pointer arithmetic error" and a heap-based buffer
  overflow, a different vulnerability than CVE-2008-2426.  NOTE: the
  provenance of this information is unknown; the details are obtained
  solely from third party information.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 19:00:55 UTC
Patch has been applied upstream:
svn diff -c 37744 http://svn.enlightenment.org/svn/e/trunk/imlib2
Comment 2 SpanKY gentoo-dev 2008-11-27 19:38:30 UTC
thanks for the easy-to-use link ... ive applied the patch to 1.4.2-r1

since this is the only change in 1.4.2 (which is current stable), moving 1.4.2-r1 to stable should be fairly trivial ...
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 17:17:36 UTC
Arches, please test and mark stable:
=media-libs/imlib2-1.4.2-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-30 21:18:12 UTC
ppc stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-01 06:56:13 UTC
Stable for HPPA.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-12-01 11:12:13 UTC
alpha/arm/ia64/sparc/sh/x86 stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2008-12-01 15:17:29 UTC
ppc64 done
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-07 11:52:36 UTC
amd64 stable, although I failed and used cvs commit instead of repoman. Seems to be fixed now.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-07 11:53:58 UTC
GLSA request filed.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-23 22:45:30 UTC
GLSA 200812-23