Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 154216

Summary: media-libs/imlib2: unspecified errors leading to DoS and execution of code (CVE-2006-480[6789])
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: rico32
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/22732/
Whiteboard: A/B? 1?/2 [glsa] Falco
Package list:
Runtime testing required: ---
Attachments:
Description Flags
99_loader_overflows.patch for imlib2-1.2.1 from Ubuntu none

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-06 01:31:43 UTC 
Hello vapier, maybe some stuff for you when an update is avaible.



http://secunia.com/product/3880/

DESCRIPTION:
Some vulnerabilities have been reported in imlib2, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise an application using the library.

The vulnerabilities are caused due to unspecified errors within the
processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images. This
may be exploited to execute arbitrary code by e.g. tricking a user
into opening a specially crafted image file with an application using
imlib2.

SOLUTION:
Do not open untrusted images with an application using the library.

PROVIDED AND/OR DISCOVERED BY:
Ubuntu credits M. Joonas Pihlaja

ORIGINAL ADVISORY:
http://www.ubuntu.com/usn/usn-376-1
Comment 1 Andreas Niederl 2006-11-06 05:30:42 UTC 
Ubuntu seems to have a patch for this.
The new packages are linked on http://www.securityfocus.com/archive/1/450551 and when applying the Ubuntu-specific package patch to the original source tree there appears a file debian/patches/99_loader_overflows.patch which supposedly fixes this vulnerability.
Comment 2 Andreas Niederl 2006-11-06 05:32:28 UTC 
Created attachment 101331 [details, diff]
99_loader_overflows.patch for imlib2-1.2.1 from Ubuntu
Comment 3 SpanKY gentoo-dev 2006-11-06 07:12:03 UTC 
ive used the actual fix committed upstream and added 1.3.0 with it
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-13 04:12:09 UTC 
looks like a forgotten bug here

1.3.0 has been marked stable on all arches

CVEs talk about <1.2.1 being affected, can someone confirm that <1.3.0 has been affected as well?

looks like this will need a GLSA then
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-15 07:55:33 UTC 
(In reply to comment #4)

> CVEs talk about <1.2.1 being affected, can someone confirm that <1.3.0 has been
> affected as well?

that's a good question


> 
> looks like this will need a GLSA then
> 


i agree
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-15 08:10:45 UTC 
Yeah I think we need a GLSA for this one.
Comment 7 Wolf Giesen (RETIRED) gentoo-dev 2006-12-15 10:24:20 UTC 
Seems to by my affirmative day today. "Yes".
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-19 08:31:33 UTC 
Hu, what are exactly the vulnerable and the fixed versions??
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-21 05:47:09 UTC 
GLSA 200612-20 , thanks everybody!