Short version: The _LoadBMP function in imlib 1.9.15 and earlier allows context-dependent attackers to cause a denial of service (infinite loop) via a BMP image with a Bits Per Page (BPP) value of 0. A bit longer: ===================================================== The information has been provided by beSTORM. The original article can be found at: http://www.beyondsecurity.com/bestorm_overview.html Vulnerable Systems: * imlib version 1.9.15 and prior The _LoadBMP function reads from the BMP file the value of BPP (Bits Per Page) and uses that value to know how many bits need to be read at each step of its main file processing loop. The value of 0x0000 (zero) which is invalid, is not properly detected as the line responsible: if (bpp != 1 && bpp != 4 && bpp != 8 && bpp && 16 && bpp != 24 && bpp != 32) { fprintf(stderr, "IMLIB ERROR: unknown bitdepth in file\n"); return NULL; } Incorrectly references && bpp && where it shouldn't have probably referenced it at all to prevent the value of 0x0000 from passing. Since the bpp value of 0x0000 is used, the loop: for (line = (*h - 1); line >= 0; line--) { linepos = 0; for (column = 0; column < *w;) { Will never advanced as no case inside the loop matches the bpp value of 0x0000. Workaround: Remove the && bpp && from the if statement found at line 648. Vendor status: We have tried to contact the security person responsible for the package in Debian, but they haven't addressed it. We have sent an email to the author of imlib on 2007-07-03 but the product appears to be no longer maintained by the author as the last release was released on 2004-09-24. ===================================================== Although I did not manage to get exploit seems that it's possibile to create one. Thus I'm setting status to major.
Updated imlib-1.9.15-r2 which includes the fix is in portage. Please, review and proceed as required.
Assigning on security as this is security issue.
Thanks Peter. Arches, please test and mark stable media-libs/imlib-1.9.15-r2. Target "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86 ~x86-fbsd"
Amd64, this also affects emul-linux-x86-gtklibs. Please update.
x86 stable
Stable for sparc.
Stable for HPPA.
alpha/ia64 stable
Ebuild stable on amd64, emul stuff yet to come.
Bumped app-emulation/emul-linux-x86-gtklibs - amd64 guys, please test and stable. (If the tarball hasn't yet hit the mirrors, fetch it from here: http://dev.gentoo.org/~welp/emul-linux-x86-gtklibs-20071214.tar.bz2)
ppc64 stable
ppc stable
emul-linux-x86-gtklibs-20071214 (which contains the fix) is stable on amd64, thanks to gentoofan23 for testing.
Ready for glsa vote.
Since this library and function is very unlikely to be called from remote, I vote NO here.
no too, and closing.
Does not affect current (2008.0) release. Removing release.