Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 175670

Summary: x11-misc/xnview XPM File Handling Buffer Overflow (CVE-2007-2194, CVE-2008-0064, CVE-2008-1461)
Product: Gentoo Security Reporter: Lars Hartmann <lars>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement CC: denilsonsa, desktop-misc
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/24973/
Whiteboard: B2 [maskglsa]
Package list:
Runtime testing required: ---

Description Lars Hartmann 2007-04-23 09:08:49 UTC 
Hi,
i found this vuln on secunia, looks like xnview has an unfixed buffer overflow in the xpm file handling function.
There are a few exploits around, and the only workaround 'yet' is to not open xpm files you dont trust.

Reproducible: Always
Comment 1 Lars Hartmann 2007-04-24 15:42:05 UTC 
maintainers - please provide a fix
Comment 2 Krzysztof Pawlik (RETIRED) gentoo-dev 2007-04-24 18:53:19 UTC 
Latest for Linux is 1.70 (http://perso.orange.fr/pierre.g/xnview/endownloadlinux.html), the advisory doesn't state if it's affected. It's a binary package, so we can't just patch it. If it's confirmed in 1.70 for linux-x86 and/or 1.50 for linux-ppc I'm for masking this as this is a second security bug in it (the first one is http://www.gentoo.org/security/en/glsa/glsa-200512-18.xml).
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-03 18:27:28 UTC 
just mailed upstream to get some infos on this.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-20 07:19:40 UTC 
Any news from upstream?
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2007-07-01 05:18:47 UTC 
Any news with this one?
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-01 08:56:25 UTC 
According to Secunia there is still no fix available.
Comment 7 Krzysztof Pawlik (RETIRED) gentoo-dev 2007-07-01 09:39:42 UTC 
I'm for p.mask and removal in 14 days.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-01 09:54:47 UTC 
upstream should release 1.70.2 which fixes this, but I don't know when. I tried to send another e-mail few days ago and I'm waiting for an answer. btw I agree for p.mask until there's a fix available.
Comment 9 Krzysztof Pawlik (RETIRED) gentoo-dev 2007-07-01 10:20:09 UTC 
+# Krzysiek Pawlik <nelchael@gentoo.org> (01 Jul 2007)
+# Masked for security bug #175670.
+# Waiting for upstream to provide a fixed version.
+# If the fix won't be available the package will be removed.
+x11-misc/xnview
+
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2007-07-11 21:10:17 UTC 
GLSA 200707-06.

Thanks everybody
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-31 21:35:14 UTC 
some news: http://secunia.com/advisories/28326/

Dercorny, do you know iif the XPM issue is fixed in version 1.92?
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 23:43:58 UTC 
CVE-2008-1461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1461):
  Buffer overflow in XnView 1.92.1 allows user-assisted remote attackers to
  execute arbitrary code via a long filename argument on the command line.
  NOTE: it is unclear whether there are common handler configurations in which
  this argument is controlled by an attacker.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 23:49:34 UTC 
Already masked, and maskglsa'd. The Linux build has not been updated since 2006. 
Can we remove this?
Comment 14 Samuli Suominen (RETIRED) gentoo-dev 2008-04-01 15:52:24 UTC 
Not in tree anymore. If upstream doesn't care about updating their binary blob for  security, but does updates for Windows version.. we should we care?

Gone. Gone. Gone.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 15:54:45 UTC 
Closing since this got maskglsa 200707-06.
Thanks, drac.