Bug 201887 (CVE-2007-3568)

Description Peter Volkov (RETIRED) 2007-12-10 19:39:23 UTC

Short version: The _LoadBMP function in imlib 1.9.15 and earlier allows context-dependent attackers to cause a denial of service (infinite loop) via a BMP image with a Bits Per Page (BPP) value of 0.

A bit longer:
=====================================================
The information has been provided by beSTORM.
The original article can be found at: http://www.beyondsecurity.com/bestorm_overview.html

Vulnerable Systems:
 * imlib version 1.9.15 and prior

The _LoadBMP function reads from the BMP file the value of BPP (Bits Per Page) and uses that value to know how many bits need to be read at each step of its main file processing loop. The value of 0x0000 (zero) which is invalid, is not properly detected as the line responsible:
if (bpp != 1 && bpp != 4 && bpp != 8 && bpp && 16 && bpp != 24 && bpp != 32)
{
fprintf(stderr, "IMLIB ERROR: unknown bitdepth in file\n");
return NULL;
}


Incorrectly references && bpp && where it shouldn't have probably referenced it at all to prevent the value of 0x0000 from passing.

Since the bpp value of 0x0000 is used, the loop:
  for (line = (*h - 1); line >= 0; line--)
    {
      linepos = 0;
      for (column = 0; column < *w;)
    {

Will never advanced as no case inside the loop matches the bpp value of 0x0000.

Workaround:
Remove the && bpp && from the if statement found at line 648.

Vendor status:
We have tried to contact the security person responsible for the package in Debian, but they haven't addressed it. We have sent an email to the author of imlib on 2007-07-03 but the product appears to be no longer maintained by the author as the last release was released on 2004-09-24.
=====================================================

Although I did not manage to get exploit seems that it's possibile to create one. Thus I'm setting status to major.