libXpm Integer and Stack Overflows May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1011324
|
|
SecurityTracker URL: http://securitytracker.com/id?1011324
|
|
CVE Reference: CVE-2004-0687
, CVE-2004-0688
(Links to External Site)
|
Updated: May 23 2006
|
Original Entry Date: Sep 16 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): X11 R6.8.0
|
Description: Some vulnerabilities were reported in libXpm. A remote user may be able to execute arbitrary code on applications that use libXpm.
The vendor reported that there are some integer overflows [CVE: CAN-2004-0687] and stack overflows [CVE: CAN-2004-0688] in the libXpm
X Pixmap library, shipped as part of the X Window System.
A stack overflow is reported in xpmParseColors() in 'parse.c' that
can be triggered by a specially crafted XPMv1 and XPMv2/3 file. A demonstration exploit file is available at:
http://scary.beasts.org/misc/doom.xpm
A
stack overflow is reported in the reading of pixel values in the ParseAndPutPixels() function in 'create.c' and in the ParsePixels()
function in 'parse.c'. A demonstration exploit file is available at:
http://scary.beasts.org/misc/doom2.xpm
An integer overflow
is reported in the colorTable allocation in xpmParseColors() in 'parse.c'. The XpmCreateImageFromXpmImage, CreateXImage, ParsePixels,
ParseAndPutPixels, and ParsePixels are affected.
The vendor credits Chris Evans with reporting these flaws. The advisory from
Chris Evans is available at:
http://scary.beasts.org/security/CESA-2004-003.txt
|
Impact: A remote user can create a specially crafted image file that, when processed by an application using libXpm, will execute arbitrary code on the target system with the privileges of the target application.
|
Solution: The vendor has released a fixed version (6.8.1), available at:
http://freedesktop.org/~xorg/X11R6.8.1/src/
The vendor has also
released a patch for version 6.8.0, available at:
http://www.x.org/pub/X11R6.8.0/patches/xorg-CAN-2004-0687-0688.patch
|
Vendor URL: www.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 16 Sep 2004 10:21:53 -0400
Subject: http://www.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch
|
X.Org Foundation SECURITY ADVISORY 2004-09-15
==============================================
Brookline MA, September 15, 2004 - X.Org has been made aware of a
possible security vunerability in libXpm, the X Pixmap library which
is shipped as part of the X Window System. The affected library is
used in many popular application for image viewing and manipulation.
Several stack overflows and integer overflows have been identified
which may allow malicious XPM files to crash applications linking
against libXpm. Furthermore the overflows may also be exploited to
execute code under the account of the user running an allication
linked against libXpm.
The CVE numbers for these vulnerabilities are CAN-2004-0687 (integer
overflows) and CAN-2004-0688 (stack overflows).
Please check also:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688
This advisory affects all known versions and releases of the
X Window System shipping versions of libXpm, whether from X.Org or
other vendors. Therefore users are strongly recommended to upgrade.
A fix is available under:
http://www.x.org/pub/X11R6.8.0/patches/xorg-CAN-2004-0687-0688.patch
X.Org will provide a security update release for X11 R6.8.0 shortly.
Vendors shipping releases of the X Window System have been informed
and will provide updates for their software.
The X.Org Foundation would like to thank Chris Evans for identifying
the security exploits as well as Matthieu Herrb and Alan Coopersmith
for providing a patch.
|
|
