FL uses an older version than we have in Portage, but we might be affected anyway. Snipped from FL bug: I've discovered more vulnerabilities in Imlib (1.9.13). In particular, it appears to be affected by a variant of Chris Evans' libXpm flaw #1 (CAN-2004-0782, see http://scary.beasts.org/security/CESA-2004-003.txt). Look at the attached image, it kills ee on my 7.3.
The patch in the RedHat bug is for .13, but seems to fix stuff present in .14 too. Then there is this Fedora bug https://bugzilla.fedora.us/show_bug.cgi?id=2051#c11 with patches provided by Pavel Kankovsky. The patch for .14 seems to be mainly the same as we have in portage atm, but someone might want to check out the patches for .13, which seem to patch stuff present in .14 too.
gnome team, please verify, advise and apply patches if appropriate patches can be found in the two bug reports mentioned in the above comments
Could not reproduce this, but I don't know what really makes use of imlib...
gnome1 apps probably.
>Could not reproduce this, but I don't know what really makes use of imlib... >gnome1 apps probably. a wide range of apps does: x11-plugins/gkrellm-radio x11-plugins/gkrellm-alltraxclock x11-plugins/epplets x11-plugins/gkrellmoon x11-plugins/gkrellsun x11-plugins/gkrellm-console x11-plugins/gkrellm-mailwatch x11-plugins/gkrellm-bfm x11-plugins/gkrellmouse x11-plugins/gkrellscore x11-plugins/gkrellshoot x11-libs/libast x11-misc/bbrb x11-misc/pogo x11-misc/e16menuedit x11-misc/idesk x11-misc/wmakerconf x11-misc/e16keyedit www-client/w3m www-client/w3mmee www-client/w3m-m17n games-strategy/freeciv x11-terms/mlterm app-admin/gkrellm x11-themes/gtk-engines x11-themes/qtpixmap gnome-base/gnome-libs app-i18n/minichinput app-i18n/chinput app-misc/dfm app-misc/endeavour kde-base/kdegraphics mail-client/balsa mail-client/sylpheed-claws mail-client/sylpheed media-gfx/iv media-gfx/qiv media-gfx/xzgv media-gfx/frontline media-gfx/digikam media-gfx/gphoto media-gfx/gimageview net-irc/bitchx net-www/amaya media-libs/fnlib net-im/amsn net-im/gnophone net-libs/jaimlib games-board/eboard app-office/magicpoint x11-wm/fvwm x11-wm/qvwm x11-wm/xfce x11-wm/icewm x11-wm/sawfish x11-wm/enlightenment dev-lang/R dev-lang/entity dev-ruby/ruby-gdkimlib dev-ruby/ruby-gnome dev-python/pygtk dev-python/gnome-python app-editors/zoinks media-sound/yconsole media-video/kino media-video/motioneye media-video/camserv app-sci/scigraphica games-kids/lletters games-kids/stickers
I have added imlib-1.9.14-r3 to cvs ( with the patch from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138516 ). That combined with our patch takes care of the overflow issues. Archs please test and mark stable.
stable on amd64
stable on ppc
arm/hppa/ia64 stable
stable on ppc64
err didnt mean to close
Stable for sparc.
Stable on alpha.
stable on mips
GLSA drafted
GLSA 200412-03