Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 62487 - media-libs/imlib-1.9.14: BMP Decoding Buffer Overflow May Let Remote Users Execute Arbitrary Code
Summary: media-libs/imlib-1.9.14: BMP Decoding Buffer Overflow May Let Remote Users Ex...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2004-09-01 03:01 UTC by Matthias Geerdsen (RETIRED)
Modified: 2011-10-30 22:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Patch from (imlib-CAN-2004-0817.patch,906 bytes, patch)
2004-09-06 07:26 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
simple patch to the ebuild to include the bmp patch (imlib.diff,759 bytes, patch)
2004-09-06 07:30 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
imlib strace output (imlib.out,3.16 KB, text/plain)
2004-09-06 09:48 UTC, Chris White (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-01 03:01:38 UTC
Bug at

imlib BMP Decoding Buffer Overflow May Let Remote Users Execute Arbitrary Code

SecurityTracker Alert ID:  1011104
SecurityTracker URL:
CVE Reference:  CAN-2004-0817   (Links to External Site)
Date:  Aug 31 2004
Impact:  Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  

Version(s): 1.9.14

Description:  A vulnerability was reported in imlib in the processing of BMP images. A remote user can cause imlib to crash or potentially execute arbitrary code.

The vendor reported that a remote user can create a specially crafted BMP image file containing runlength-encoded images that, when decoded by the target user, will cause imblib to crash.

Marcus Meissner discovered this vulnerability.

A demonstration exploit image from Chris Evans is available at:

Impact:  A remote user can create a BMP file that, when decoded by the target user, will cause imlib to crash. It may also be possible to cause arbitrary code to be executed. The specific impact depends on the application using imlib.

Solution:  A patch is available at:
There was also a vulnerability in imlib2

This has been fixed by bumping the ebuild today:
*imlib2-1.1.2 (31 Aug 2004)

  31 Aug 2004; Mike Frysinger <> -files/1.1.0-gcc-3.4.patch,
  -imlib2-1.1.0.ebuild, -imlib2-1.1.1.ebuild, +imlib2-1.1.2.ebuild:
  Version bump + stable for security.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-01 08:55:32 UTC
We've two affected packages : media-libs/imlib and media-libs/imlib2.

media-libs/imlib is still at unpatched 1.9.14 level, we need an ebuild bump.
media-libs/imlib2 is ready for GLSA with version 1.1.2.

No maintainer. vapier, you bumped imlib2, could you do the same for imlib ?
Comment 2 SpanKY gentoo-dev 2004-09-01 10:15:14 UTC
gnome maintains imlib-1.x
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-09-06 06:44:56 UTC
Gnome team, please apply fix to imlib...
Comment 4 foser (RETIRED) gentoo-dev 2004-09-06 06:52:48 UTC
there's no metadata, gnome does not maintain this, it just happens to be somewhere in our chain of (gnome1) deps & we're very short on time.

The patch looks fine to me, apply & test & go ahead afa the gnome team ic.
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-06 07:26:54 UTC
Created attachment 39049 [details, diff]
Patch from 

Patch taken from

There is also a second patch available there by Dimitry V. Levin, but he
"Here is a patch I'm going to use for updates.
While I'm not sure that result image will be correct, this patch addresses all
potential heap corruption problems found in loader_bmp() so far, and allows to
load as much bmp data as possible."
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-06 07:30:13 UTC
Created attachment 39050 [details, diff]
simple patch to the ebuild to include the bmp patch

seems to apply and compile cleanly
Comment 7 Chris White (RETIRED) gentoo-dev 2004-09-06 09:47:25 UTC
Something seems wrong here.

I tried with xzgv ( which depends on imlib ) and tried the exploit, which gave
the correct effect ( xzgv took the big one ).  However, after applying the 
patch, re-emerging imlib, and even re-emerging xzgv, it still bites the big
one while loading the exploit file.

I did an strace to make sure, and sure enough it bites the big one shortly
after accessing imlib.  I think we should probably upstream this, and I'll
attach the relevant strace output for upstream to look at.
Comment 8 Chris White (RETIRED) gentoo-dev 2004-09-06 09:48:50 UTC
Created attachment 39067 [details]
imlib strace output
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-06 10:21:20 UTC
Reported upstream, resetting status whiteboard.
Comment 10 Chris White (RETIRED) gentoo-dev 2004-09-06 11:26:29 UTC
Version to use is imlib-1.9.14-r2

ppc sparc amd64: 

Mark stable

alpha hppa ia64 mips ppc64:

Mark stable for benifit of the GLSA

x86 was marked by me.

Test Case:

The problem was with imlib based programs crashing when opening an exploitable
BMP file.  This was the steps taken to test for this exploit:

1) A program that utilized imlib was established (xzgv)
2) I opened this bmp:

   which crashed the program as expected.
3) Re-emerged imlib-1.9.14-r2, compiled fine
4) opened the example.bmp file again with xzgv and no crash occured.
5) Opened this bmp:

and the image loaded fine.
6) Also tested on some .jpg's and .png's as well.

The only problem being that xzgv is only x86 marked.  The 2 options would be:

a) march xzgv on your arch and use that
b) use any other imlib based program you feel comfortable with (not imlib2

Good luck and let us know of any conflicts that may occur.
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-06 12:01:33 UTC
sparc stable.
Comment 12 SpanKY gentoo-dev 2004-09-07 17:18:05 UTC
marked stable for ppc/hppa/amd64/ia64
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-07 18:41:44 UTC
Stable on alpha.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-09-08 02:11:30 UTC
GLSA 200409-12
mips, ppc64 : mark stable to benefit from GLSA
Comment 15 Tom Gall (RETIRED) gentoo-dev 2004-10-09 12:33:07 UTC
Thanks,  stable on ppc64
Comment 16 Hardave Riar (RETIRED) gentoo-dev 2004-10-16 23:08:16 UTC
Stable on mips.