Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 154216 - media-libs/imlib2: unspecified errors leading to DoS and execution of code (CVE-2006-480[6789])
Summary: media-libs/imlib2: unspecified errors leading to DoS and execution of code (C...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/22732/
Whiteboard: A/B? 1?/2 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-06 01:31 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-12-21 05:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
99_loader_overflows.patch for imlib2-1.2.1 from Ubuntu (99_loader_overflows.patch,9.18 KB, patch)
2006-11-06 05:32 UTC, Andreas Niederl
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-06 01:31:43 UTC
Hello vapier, maybe some stuff for you when an update is avaible.



http://secunia.com/product/3880/

DESCRIPTION:
Some vulnerabilities have been reported in imlib2, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise an application using the library.

The vulnerabilities are caused due to unspecified errors within the
processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images. This
may be exploited to execute arbitrary code by e.g. tricking a user
into opening a specially crafted image file with an application using
imlib2.

SOLUTION:
Do not open untrusted images with an application using the library.

PROVIDED AND/OR DISCOVERED BY:
Ubuntu credits M. Joonas Pihlaja

ORIGINAL ADVISORY:
http://www.ubuntu.com/usn/usn-376-1
Comment 1 Andreas Niederl 2006-11-06 05:30:42 UTC
Ubuntu seems to have a patch for this.
The new packages are linked on http://www.securityfocus.com/archive/1/450551 and when applying the Ubuntu-specific package patch to the original source tree there appears a file debian/patches/99_loader_overflows.patch which supposedly fixes this vulnerability.
Comment 2 Andreas Niederl 2006-11-06 05:32:28 UTC
Created attachment 101331 [details, diff]
99_loader_overflows.patch for imlib2-1.2.1 from Ubuntu
Comment 3 SpanKY gentoo-dev 2006-11-06 07:12:03 UTC
ive used the actual fix committed upstream and added 1.3.0 with it
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-13 04:12:09 UTC
looks like a forgotten bug here

1.3.0 has been marked stable on all arches

CVEs talk about <1.2.1 being affected, can someone confirm that <1.3.0 has been affected as well?

looks like this will need a GLSA then
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-15 07:55:33 UTC
(In reply to comment #4)

> CVEs talk about <1.2.1 being affected, can someone confirm that <1.3.0 has been
> affected as well?

that's a good question


> 
> looks like this will need a GLSA then
> 


i agree
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-15 08:10:45 UTC
Yeah I think we need a GLSA for this one.
Comment 7 Wolf Giesen (RETIRED) gentoo-dev 2006-12-15 10:24:20 UTC
Seems to by my affirmative day today. "Yes".
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-19 08:31:33 UTC
Hu, what are exactly the vulnerable and the fixed versions??
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-21 05:47:09 UTC
GLSA 200612-20 , thanks everybody!