Bug at http://bugzilla.gnome.org/show_bug.cgi?id=151034
imlib BMP Decoding Buffer Overflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1011104
SecurityTracker URL: http://securitytracker.com/id?1011104
CVE Reference: CAN-2004-0817 (Links to External Site)
Date: Aug 31 2004
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes
Description: A vulnerability was reported in imlib in the processing of BMP images. A remote user can cause imlib to crash or potentially execute arbitrary code.
The vendor reported that a remote user can create a specially crafted BMP image file containing runlength-encoded images that, when decoded by the target user, will cause imblib to crash.
Marcus Meissner discovered this vulnerability.
A demonstration exploit image from Chris Evans is available at:
Impact: A remote user can create a BMP file that, when decoded by the target user, will cause imlib to crash. It may also be possible to cause arbitrary code to be executed. The specific impact depends on the application using imlib.
Solution: A patch is available at:
There was also a vulnerability in imlib2
This has been fixed by bumping the ebuild today:
*imlib2-1.1.2 (31 Aug 2004)
31 Aug 2004; Mike Frysinger <firstname.lastname@example.org> -files/1.1.0-gcc-3.4.patch,
-imlib2-1.1.0.ebuild, -imlib2-1.1.1.ebuild, +imlib2-1.1.2.ebuild:
Version bump + stable for security.
We've two affected packages : media-libs/imlib and media-libs/imlib2.
media-libs/imlib is still at unpatched 1.9.14 level, we need an ebuild bump.
media-libs/imlib2 is ready for GLSA with version 1.1.2.
No maintainer. vapier, you bumped imlib2, could you do the same for imlib ?
gnome maintains imlib-1.x
Gnome team, please apply fix to imlib...
there's no metadata, gnome does not maintain this, it just happens to be somewhere in our chain of (gnome1) deps & we're very short on time.
The patch looks fine to me, apply & test & go ahead afa the gnome team ic.
Created attachment 39049 [details, diff]
Patch from email@example.com
Patch taken from http://bugzilla.gnome.org/attachment.cgi?id=30934&action=view
There is also a second patch available there by Dimitry V. Levin, but he
"Here is a patch I'm going to use for updates.
While I'm not sure that result image will be correct, this patch addresses all
potential heap corruption problems found in loader_bmp() so far, and allows to
load as much bmp data as possible."
Created attachment 39050 [details, diff]
simple patch to the ebuild to include the bmp patch
seems to apply and compile cleanly
Something seems wrong here.
I tried with xzgv ( which depends on imlib ) and tried the exploit, which gave
the correct effect ( xzgv took the big one ). However, after applying the
patch, re-emerging imlib, and even re-emerging xzgv, it still bites the big
one while loading the exploit file.
I did an strace to make sure, and sure enough it bites the big one shortly
after accessing imlib. I think we should probably upstream this, and I'll
attach the relevant strace output for upstream to look at.
Created attachment 39067 [details]
imlib strace output
Reported upstream, resetting status whiteboard.
Version to use is imlib-1.9.14-r2
ppc sparc amd64:
alpha hppa ia64 mips ppc64:
Mark stable for benifit of the GLSA
x86 was marked by me.
The problem was with imlib based programs crashing when opening an exploitable
BMP file. This was the steps taken to test for this exploit:
1) A program that utilized imlib was established (xzgv)
2) I opened this bmp:
which crashed the program as expected.
3) Re-emerged imlib-1.9.14-r2, compiled fine
4) opened the example.bmp file again with xzgv and no crash occured.
5) Opened this bmp:
and the image loaded fine.
6) Also tested on some .jpg's and .png's as well.
The only problem being that xzgv is only x86 marked. The 2 options would be:
a) march xzgv on your arch and use that
b) use any other imlib based program you feel comfortable with (not imlib2
Good luck and let us know of any conflicts that may occur.
marked stable for ppc/hppa/amd64/ia64
Stable on alpha.
mips, ppc64 : mark stable to benefit from GLSA
Thanks, stable on ppc64
Stable on mips.