Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 71642

Summary: x11-base/xorg-x11, xfree: vulnerabilities in libXpm
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: dberkholz, fmccor
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2004-11-18 00:48:26 UTC
X.Org Foundation Security Advisory

                     For X Window System 
               Versions X11R6.8.0 and X11R6.8.1
                      17 November 2004

            - - - - - - - - - - - - - - - - - - - - -

Brookline MA, November 17, 2004 - The X.Org Foundation today announced
the release of a patch for the X Window System, which addresses the 
security vulnerability first announced on September 15, 2004, with 
the release of source patch CAN-2004-0687-0688.patch.

X.Org was made aware of additional security vulnerability in libXpm, the X 
Pixmap library, which is shipped as part of the X Window System. The 
affected library is used in many popular application for image viewing and 
manipulation. This library was subject of recent security advisories 
(CAN-2004-0687 and CAN-2004-0688).

1. Description

libXpm is a library for manipulating pixmaps used by the X Window
System.  After the release of the X11R6.8.1 security release, a more
extensive security audit was made. 

Several integer overflows and out-of-bounds memory accesses have been
identified and fixed, a path traversal has been fixed and shell command 
execution has been made more secure. This new fix also addresses possible 
endless loops and memory leaks. These vulnerabilities may allow an 
application linking against libXpm to crash, to become unusable, or to 
execute other code of a user running an application linked against libXpm.

2. CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2004-0914 to these issues. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems. You may check: 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0914
 

3. Affected versions

All X.Org release up to and including R6.8.1 are vulnerable. Products like 
XFree86, lesstif and OpenMotif, which include libXpm are likely to be 
affected. 

4. Available patch.

A source patch is available for:
  X.Org Release 6.8.0 under:
     http://www.x.org/pub/X11R6.8.0/patches/xorg-680-CAN-2004-0914.patch
  and X.Org Release 6.8.1 under:
     http://www.x.org/pub/X11R6.8.1/patches/xorg-681-CAN-2004-0914.patch
and from X.Org mirror sites world-wide.

5. Acknowledgments

The X.Org Foundation would like to thank Petr Mladek for identifying the
vulnerabilities and providing a patch, and Thomas Biege for systematically 
reviewing the libXpm code and fixing additional possible vulnerabilities. 
The X.Org Foundation would also thank Matthieu Herrb and Jacques A. Vidrine
for their help in auditing the code, reviewing the patch and suggesting 
additional fixes.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-11-18 00:54:40 UTC
Fixed versions are in portage :

xorg-x11-6.8.0-r3 = "x86 ~ppc sparc ppc64 alpha amd64"
xorg-x11-6.7.0-r3 = "x86 ppc ~sparc alpha"
xfree-4.3.0-r8 = "x86 alpha"

All needed keywords are there, ready for a GLSA.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-11-19 14:29:53 UTC
GLSA 200411-28