>Number: 129037 >Category: ports >Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 21 05:50:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment:
System: FreeBSD 7.1-PRERELEASE i386 >Description: Secunia discovered imlib2 vulnerability that can be used to execute arbitrary code within the application that uses this library: ----- The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file. Successful exploitation may allow execution of arbitrary code. ----- >How-To-Repeat: http://secunia.com/Advisories/32796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5187 >Fix: The following patch adds the patch from Debian developers. It is supposed to fix the issue. --- fix-imlib2-1.4.1.000.diff begins here --- diff -urN ./Makefile ../imlib2/Makefile --- ./Makefile 2008-11-20 20:30:31.000000000 +0300 +++ ../imlib2/Makefile 2008-11-21 08:28:40.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= imlib2 PORTVERSION= 1.4.1.000 -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 2 CATEGORIES= graphics MASTER_SITES= ftp://ftp.springdaemons.com/pub/snapshots/e17/ \ diff -urN ./files/patch-CVE-2008-5187 ../imlib2/files/patch-CVE-2008-5187 --- ./files/patch-CVE-2008-5187 1970-01-01 03:00:00.000000000 +0300 +++ ../imlib2/files/patch-CVE-2008-5187 2008-11-21 08:24:16.000000000 +0300 @@ -0,0 +1,14 @@ +Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15 + +--- src/modules/loaders/loader_xpm.c ++++ src/modules/loaders/loader_xpm.c +@@ -246,8 +246,8 @@ + return 0; + } + ptr = im->data; +- end = ptr + (sizeof(DATA32) * w * h); + pixels = w * h; ++ end = ptr + pixels; + } + else + { --- fix-imlib2-1.4.1.000.diff ends here --- The following VuXML entry should be validated and added: --- vuln.xml begins here --- <vuln vid=""> <topic>imlib2 -- XPM processing buffer overflow vulnerability</topic> <affects> <package> <name>imlib2</name> <name>imlib2-nox11</name> <range><lt>1.4.1.000_1,2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml";> <p>Secunia reports:</p> <blockquote cite="http://secunia.com/Advisories/32796";> <p>A vulnerability has been discovered in imlib2, which can be exploited by malicious people to potentially compromise an application using the library.</p> <p>The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file.</p> <p>Successful exploitation may allow execution of arbitrary code.</p> <p>The vulnerability is confirmed in version 1.4.2. Other versions may also be affected.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5187</cvename> <url>http://secunia.com/Advisories/32796</url> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15</url> <url>http://bugzilla.enlightenment.org/show_bug.cgi?id=547</url> </references> <dates> <discovery>2008-11-20</discovery> </dates> </vuln> --- vuln.xml ends here --- I see that XPM loader is built and installed even for the nox11 version, so I am including it to the vulnerable port. imlib-1.9.15 seem to be unaffected: it has the code in question, but it does memory manipulations properly. >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
