This bug is marked confidential, do not disclose any information or commit anything until the bug has been made public. Secunia Research reports a vulnerability in imlib2 (CVE-2008-2426). Preliminary disclosure date is 2008-06-11. The following is an excerpt from the vulnerability report, more details are available: [...] Credit: Stefan Cornelius, Secunia Research [...] -- Details -- 1) There is a boundary error within the "load()" function in src/modules/loaders/loader_pnm.c when reading the header of an PNM image file, which can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted PNM image with an application using the imlib2 library. [...] Successful exploitation allows the execution of arbitrary code. 2) There is a boundary error within the "load()" function in src/modules/loader_xpm.c when processing an XPM image file, which can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted XPM image with an application using the imlib2 library. [...]
upstream has been contacted by secunia btw
public via $URL patch is supposed to be in CVS according to that advisory
Patches from upstream CVS: https://bugzilla.redhat.com/show_bug.cgi?id=449073#c4 HTH
ive added 1.4.0-r1 and imlib2-1.4.1.000-r1 to the tree ... while both should be fine for stable, i imagine people would be more comfortable with the former
That was a straight-to-stable bump for 1.4.0-r1 ;-) So going directly to [glsa]
imlib2-1.4.0-r1 isnt in stable ...
(In reply to comment #6) > imlib2-1.4.0-r1 isnt in stable ... You are right. In that case, it seems there is a bug in adjutrix, because it actually outputs the version as stable: ... 1.4.0-r1 | + + + + + + + + + + + ~ | ... grep KEYWORDS proves you right: imlib2-1.4.0-r1.ebuild:KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~x86-fbsd"
Arches, please test and mark stable: =media-libs/imlib2-1.4.0-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"
x86 stable
ppc64 stable
Stable for HPPA.
alpha/ia64/sparc stable
amd64 stable
ppc stable
Fixed in release snapshot.
GLSA request filed.
GLSA 200806-03
