Debian Security Advisory
DSA-628-1 imlib2 -- integer overflows
- Date Reported:
- 06 Jan 2005
- Affected Packages:
- imlib2
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2004-1026, CVE-2004-1025.
- More information:
-
Pavel Kankovsky discovered that several overflows found in the libXpm library were also present in imlib and imlib2, imaging libraries for X11. An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib or imlib2 to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project identifies the following problems:
- CAN-2004-1025
Multiple heap-based buffer overflows. No such code is present in imlib2.
- CAN-2004-1026
Multiple integer overflows in the imlib library.
For the stable distribution (woody) these problems have been fixed in version 1.0.5-2woody2.
For the unstable distribution (sid) these problems will be fixed soon.
We recommend that you upgrade your imlib2 packages.
- CAN-2004-1025
- Fixed in:
-
Debian GNU/Linux 3.0 (woody)
- Source:
- http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.0.5-2woody2.dsc
- http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.0.5-2woody2.diff.gz
- http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.0.5.orig.tar.gz
- http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.0.5-2woody2.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_alpha.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_alpha.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_arm.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_arm.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_i386.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_i386.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_ia64.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_ia64.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_hppa.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_hppa.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_m68k.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_m68k.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_mips.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_mips.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_mipsel.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_mipsel.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_powerpc.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_powerpc.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_s390.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_s390.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_sparc.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_sparc.deb
- http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_sparc.deb
MD5 checksums of the listed files are available in the original advisory.