Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(IBM Issues Fix for AIX) libXpm Integer and Stack Overflows May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1011450 |
|
SecurityTracker URL: http://securitytracker.com/id/1011450
|
|
CVE Reference:
CVE-2004-0687, CVE-2004-0688
(Links to External Site)
|
Date: Sep 29 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): X11 R6.8.0
|
Description:
Some vulnerabilities were reported in libXpm. A remote user may be able to execute arbitrary code on applications that use libXpm.
The vendor reported that there are some integer overflows [CVE: CAN-2004-0687] and stack overflows [CVE: CAN-2004-0688] in the libXpm X Pixmap library, shipped as part of the X Window System.
A stack overflow is reported in xpmParseColors() in 'parse.c' that can be triggered by a specially crafted XPMv1 and XPMv2/3 file. A demonstration exploit file is available at:
http://scary.beasts.org/misc/doom.xpm
A stack overflow is reported in the reading of pixel values in the ParseAndPutPixels() function in 'create.c' and in the ParsePixels() function in 'parse.c'. A demonstration exploit file is available at:
http://scary.beasts.org/misc/doom2.xpm
An integer overflow is reported in the colorTable allocation in xpmParseColors() in 'parse.c'. The XpmCreateImageFromXpmImage, CreateXImage, ParsePixels, ParseAndPutPixels, and ParsePixels are affected.
The vendor credits Chris Evans with reporting these flaws. The advisory from Chris Evans is available at:
http://scary.beasts.org/security/CESA-2004-003.txt
|
Impact:
A remote user can create a specially crafted image file that, when processed by an application using libXpm, will execute arbitrary code on the target system with the privileges of the target application.
|
Solution:
IBM plans to issue the following fixes:
APAR number for AIX 5.1.0: IY61953 (available approx. 11/08/04)
APAR number for AIX 5.2.0: IY61954 (available approx. 11/08/04)
APAR number for AIX 5.3.0: IY61956 (available approx. 11/08/04)
In the interim, Efixes are available for AIX 5.1.0 and 5.2.0 at:
ftp://aix.software.ibm.com/aix/efixes/security/libxm_efix.tar.Z
|
Vendor URL: www.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (AIX)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 28 Sep 2004 20:41:43 -0400
Subject: [none]
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Thu Apr 22 15:17:51 CDT 2004
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Buffer overflows in libXm.a may allow an attacker to
execute arbitrary code.
Integer overflows in libXm.a may allow an attacker to
crash an application causing a denial of service.
PLATFORMS: AIX 5.1, 5.2 and 5.3.
SOLUTION: Apply the efixes or APARs as described below.
THREAT: An attacker may execute arbitrary code or cause a
denial of service.
CVE Number: CAN-2004-0688 (Buffer overflows)
CAN-2004-0687 (Integer overflows)
===========================================================================
DETAILED INFORMATION
I. Description
===============
Buffer overflows and integer overflows have been discovered in the X Pixmap
library (libXm.a) used by Motif 2.1. The buffer overflow conditions may
allow an attacker to execute arbitrary code. The integer overflow
conditions can be exploited to cause a denial of service.
AIX does not ship with any applications that use the vulnerable library.
However customers using libXm.a in the Motif 2.1 GUI toolkit are urged to
apply the relevant fixes. Applications which use this library to operate on
XPM files may be affected.
The library affected by these issues ship as part of the X11.motif.lib
fileset. To determine if this fileset is installed, execute the following
command:
# lslpp -L X11.motif.lib
If the fileset is installed it will be listed along with its version
information, state, type and a description.
The following versions of the X11.motif.lib fileset are vulnerable:
AIX 5.1.0: X11.motif.lib.5.1.0.57 and earlier
AIX 5.2.0: X11.motif.lib.5.2.0.41 and earlier
AIX 5.3.0: X11.motif.lib.5.3.0.0
II. Impact
==========
An attacker may cause a denial of service or execute arbitrary code.
III. Solutions
===============
A. Official Fix
IBM provides the following fixes:
APAR number for AIX 5.1.0: IY61953 (available approx. 11/08/04)
APAR number for AIX 5.2.0: IY61954 (available approx. 11/08/04)
APAR number for AIX 5.3.0: IY61956 (available approx. 11/08/04)
NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at
the latest maintenance level.
B. Emergency Fix
Efixes are available for AIX 5.1.0 and 5.2.0. The efixes can be
downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/libxm_efix.tar.Z
libxm_efx.tar.Z is a compressed tarball containing this advisory, three
efix packages for 5.1.0, 5.2.0 and 5.3.0 and cleartext PGP signatures for
each efix package.
Verify you have retrieved the efixes intact:
- --------------------------------------------
The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:
Filename sum md5
======================================================================
iy61953.040916.epkg.Z 18063 3565 0210a5f314a7c91080fb290ee35d4016
iy61954.040916.epkg.Z 44766 3454 e8982978c31a46f596e06de5b4f3c42c
iy61956.040916.epkg.Z 40701 3471 7dd3a876fae585cc3e25c28d1220a55c
These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site address.
If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com
and describe the discrepancy.
IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.
These efixes have not been fully regression tested; thus, IBM does not
warrant the fully correct functioning of the efix. Customers install the
efix and operate the modified version of AIX at their own risk.
Efix Installation Instructions:
- - -------------------------------
The efix package for AIX 5.1.0, 5.2.0 and 5.3.0 are named
iy61953.040914.epkg.Z, iy61954.040914.epkg.Z and iy61956.040914.epkg.Z
respectively.
These packages use the new Emergency Fix Management Solution to install
and manage efixes. More information can be found at:
http://techsupport.services.ibm.com/server/aix.efixmgmt
To preview an epkg efix installation execute the following command:
# emgr -e epkg_name -p # where epkg_name is the name of the
# efix package being previewed.
To install an epkg efix package, execute the following command:
# emgr -e epkg_name -X # where epkg_name is the name of the
# efix package being installed.
The "X" flag will expand any filesystems if required.
IV. Obtaining Fixes
===================
AIX Version 5 APARs can be downloaded from the eServer pSeries Fix Central
web site:
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp
Security related Emergency Fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
V. Contact Information
========================
If you would like to receive AIX Security Advisories via email, please visit:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate securely with
the AIX Security Team send email to security-alert@austin.ibm.com with a
subject of "get key". The key can also be downloaded from a PGP Public Key
Server. The key id is 0x3AE561C3.
Please contact your local IBM AIX support center for any assistance.
eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
iD8DBQFBUtzP+0ah+jrlYcMRAgD/AJ9W6MFd4u+DgAWWewDXiZIKzT5PTgCfbeUs
NuukZOMiI3R2NaLepBziJAY=
=xHFt
-----END PGP SIGNATURE-----
Download fixes
<http://www.ibm.com/servers/eserver/support/pseries/aixfixes.html>
Supported products
Find end of support dates for AIX and software running on AIX
<http://www.ibm.com/services/sl/products>
pSeries support
Visit pSeries Support for a wide array of technical resources.
<http://www.ibm.com/servers/eserver/support/pseries>
Subscription options
Update your profile
<https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=2>
Unsubscribe
<https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=3>
More News
Sign up for customized weekly newsletter from IBM
<http://isource.ibm.com/world/index.shtml>
------------------------------------------------------------------------
------------------------------------------------------------------------
IBM, eServer and pSeries are trademarks or registered trademarks of
International Business Machines Corporation in the United States or
other countries, or both.
ALL INFORMATION IS PROVIDED BY IBM ON AN "AS IS" BASIS ONLY. IBM
PROVIDES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE,
MERCHANTABILITY AND NONINFRINGMENT.
This document may be copied provided all text is included and copies
contain IBM's copyright notice and any other notices provided herein.
|
|
Go to the Top of This SecurityTracker Archive Page
|
