Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 175670 - x11-misc/xnview XPM File Handling Buffer Overflow (CVE-2007-2194, CVE-2008-0064, CVE-2008-1461)
Summary: x11-misc/xnview XPM File Handling Buffer Overflow (CVE-2007-2194, CVE-2008-00...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/24973/
Whiteboard: B2 [maskglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-04-23 09:08 UTC by Lars Hartmann
Modified: 2008-04-01 15:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-04-23 09:08:49 UTC
Hi,
i found this vuln on secunia, looks like xnview has an unfixed buffer overflow in the xpm file handling function.
There are a few exploits around, and the only workaround 'yet' is to not open xpm files you dont trust.

Reproducible: Always
Comment 1 Lars Hartmann 2007-04-24 15:42:05 UTC
maintainers - please provide a fix
Comment 2 Krzysztof Pawlik (RETIRED) gentoo-dev 2007-04-24 18:53:19 UTC
Latest for Linux is 1.70 (http://perso.orange.fr/pierre.g/xnview/endownloadlinux.html), the advisory doesn't state if it's affected. It's a binary package, so we can't just patch it. If it's confirmed in 1.70 for linux-x86 and/or 1.50 for linux-ppc I'm for masking this as this is a second security bug in it (the first one is http://www.gentoo.org/security/en/glsa/glsa-200512-18.xml).
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-03 18:27:28 UTC
just mailed upstream to get some infos on this.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-20 07:19:40 UTC
Any news from upstream?
Comment 5 Samuli Suominen gentoo-dev 2007-07-01 05:18:47 UTC
Any news with this one?
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2007-07-01 08:56:25 UTC
According to Secunia there is still no fix available.
Comment 7 Krzysztof Pawlik (RETIRED) gentoo-dev 2007-07-01 09:39:42 UTC
I'm for p.mask and removal in 14 days.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-01 09:54:47 UTC
upstream should release 1.70.2 which fixes this, but I don't know when. I tried to send another e-mail few days ago and I'm waiting for an answer. btw I agree for p.mask until there's a fix available.
Comment 9 Krzysztof Pawlik (RETIRED) gentoo-dev 2007-07-01 10:20:09 UTC
+# Krzysiek Pawlik <nelchael@gentoo.org> (01 Jul 2007)
+# Masked for security bug #175670.
+# Waiting for upstream to provide a fixed version.
+# If the fix won't be available the package will be removed.
+x11-misc/xnview
+
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2007-07-11 21:10:17 UTC
GLSA 200707-06.

Thanks everybody
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-31 21:35:14 UTC
some news: http://secunia.com/advisories/28326/

Dercorny, do you know iif the XPM issue is fixed in version 1.92?
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 23:43:58 UTC
CVE-2008-1461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1461):
  Buffer overflow in XnView 1.92.1 allows user-assisted remote attackers to
  execute arbitrary code via a long filename argument on the command line.
  NOTE: it is unclear whether there are common handler configurations in which
  this argument is controlled by an attacker.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 23:49:34 UTC
Already masked, and maskglsa'd. The Linux build has not been updated since 2006. 
Can we remove this?
Comment 14 Samuli Suominen gentoo-dev 2008-04-01 15:52:24 UTC
Not in tree anymore. If upstream doesn't care about updating their binary blob for  security, but does updates for Windows version.. we should we care?

Gone. Gone. Gone.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 15:54:45 UTC
Closing since this got maskglsa 200707-06.
Thanks, drac.