CVE-2010-0991 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0991): Multiple heap-based buffer overflows in imlib2 1.4.3 allow context-dependent attackers to execute arbitrary code via a crafted (1) ARGB, (2) XPM, or (3) BMP file, related to the IMAGE_DIMENSIONS_OK macro in lib/image.h.
According to RedHat [1], only 1.4.3 is affected. There is not yet an upstream release, only a fix in SVN. I think we can wait until that new release is out. [1] https://bugzilla.redhat.com/show_bug.cgi?id=584885
imlib2-1.4.4 is now in the tree
It would be nice to punt 1.4.3, this can be closed afterwards, as a vulnerable version was never stable.
(In reply to comment #3) > It would be nice to punt 1.4.3, this can be closed afterwards, as a vulnerable > version was never stable. > Vapier, is this possible? Thank you.
ive punted everything older than 1.4.4
(In reply to comment #5) > ive punted everything older than 1.4.4 > Great, thank you. Closing noglsa.