Hello vapier, maybe some stuff for you when an update is avaible. http://secunia.com/product/3880/ DESCRIPTION: Some vulnerabilities have been reported in imlib2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. The vulnerabilities are caused due to unspecified errors within the processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images. This may be exploited to execute arbitrary code by e.g. tricking a user into opening a specially crafted image file with an application using imlib2. SOLUTION: Do not open untrusted images with an application using the library. PROVIDED AND/OR DISCOVERED BY: Ubuntu credits M. Joonas Pihlaja ORIGINAL ADVISORY: http://www.ubuntu.com/usn/usn-376-1
Ubuntu seems to have a patch for this. The new packages are linked on http://www.securityfocus.com/archive/1/450551 and when applying the Ubuntu-specific package patch to the original source tree there appears a file debian/patches/99_loader_overflows.patch which supposedly fixes this vulnerability.
Created attachment 101331 [details, diff] 99_loader_overflows.patch for imlib2-1.2.1 from Ubuntu
ive used the actual fix committed upstream and added 1.3.0 with it
looks like a forgotten bug here 1.3.0 has been marked stable on all arches CVEs talk about <1.2.1 being affected, can someone confirm that <1.3.0 has been affected as well? looks like this will need a GLSA then
(In reply to comment #4) > CVEs talk about <1.2.1 being affected, can someone confirm that <1.3.0 has been > affected as well? that's a good question > > looks like this will need a GLSA then > i agree
Yeah I think we need a GLSA for this one.
Seems to by my affirmative day today. "Yes".
Hu, what are exactly the vulnerable and the fixed versions??
GLSA 200612-20 , thanks everybody!