Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 248057 (CVE-2008-5187)

Summary: media-libs/imlib2<=1.4.2 XPM loader buffer overflow (CVE-2008-5187)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: vapier
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-21 21:05:02 UTC 
CVE-2008-5187 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5187):
  The load function in the XPM loader for imlib2 1.4.2, and possibly
  other versions, allows attackers to cause a denial of service (crash)
  and possibly execute arbitrary code via a crafted XPM file that
  triggers a "pointer arithmetic error" and a heap-based buffer
  overflow, a different vulnerability than CVE-2008-2426.  NOTE: the
  provenance of this information is unknown; the details are obtained
  solely from third party information.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 19:00:55 UTC 
Patch has been applied upstream:
svn diff -c 37744 http://svn.enlightenment.org/svn/e/trunk/imlib2
Comment 2 SpanKY gentoo-dev 2008-11-27 19:38:30 UTC 
thanks for the easy-to-use link ... ive applied the patch to 1.4.2-r1

since this is the only change in 1.4.2 (which is current stable), moving 1.4.2-r1 to stable should be fairly trivial ...
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 17:17:36 UTC 
Arches, please test and mark stable:
=media-libs/imlib2-1.4.2-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-30 21:18:12 UTC 
ppc stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-01 06:56:13 UTC 
Stable for HPPA.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-12-01 11:12:13 UTC 
alpha/arm/ia64/sparc/sh/x86 stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2008-12-01 15:17:29 UTC 
ppc64 done
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-07 11:52:36 UTC 
amd64 stable, although I failed and used cvs commit instead of repoman. Seems to be fixed now.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-07 11:53:58 UTC 
GLSA request filed.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-23 22:45:30 UTC 
GLSA 200812-23