The load function in the XPM loader for imlib2 1.4.2, and possibly
other versions, allows attackers to cause a denial of service (crash)
and possibly execute arbitrary code via a crafted XPM file that
triggers a "pointer arithmetic error" and a heap-based buffer
overflow, a different vulnerability than CVE-2008-2426. NOTE: the
provenance of this information is unknown; the details are obtained
solely from third party information.
Patch has been applied upstream:
svn diff -c 37744 http://svn.enlightenment.org/svn/e/trunk/imlib2
thanks for the easy-to-use link ... ive applied the patch to 1.4.2-r1
since this is the only change in 1.4.2 (which is current stable), moving 1.4.2-r1 to stable should be fairly trivial ...
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Stable for HPPA.
amd64 stable, although I failed and used cvs commit instead of repoman. Seems to be fixed now.
GLSA request filed.