SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   libXpm Vendors:   X.org
(Mandrake Issues Fix) libXpm Integer and Stack Overflows May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012087
SecurityTracker URL:  http://securitytracker.com/id/1012087
CVE Reference:   CVE-2004-0687, CVE-2004-0688   (Links to External Site)
Date:  Nov 5 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): X11 R6.8.0
Description:   Some vulnerabilities were reported in libXpm. A remote user may be able to execute arbitrary code on applications that use libXpm.

The vendor reported that there are some integer overflows [CVE: CVE-2004-0687] and stack overflows [CVE: CVE-2004-0688] in the libXpm X Pixmap library, shipped as part of the X Window System.

A stack overflow is reported in xpmParseColors() in 'parse.c' that can be triggered by a specially crafted XPMv1 and XPMv2/3 file. A demonstration exploit file is available at:

http://scary.beasts.org/misc/doom.xpm

A stack overflow is reported in the reading of pixel values in the ParseAndPutPixels() function in 'create.c' and in the ParsePixels() function in 'parse.c'. A demonstration exploit file is available at:

http://scary.beasts.org/misc/doom2.xpm

An integer overflow is reported in the colorTable allocation in xpmParseColors() in 'parse.c'. The XpmCreateImageFromXpmImage, CreateXImage, ParsePixels, ParseAndPutPixels, and ParsePixels are affected.

The vendor credits Chris Evans with reporting these flaws. The advisory from Chris Evans is available at:

http://scary.beasts.org/security/CESA-2004-003.txt

Impact:   A remote user can create a specially crafted image file that, when processed by an application using libXpm, will execute arbitrary code on the target system with the privileges of the target application.
Solution:   Mandrake has released a fix.

Mandrakelinux 10.1:
2b93b8d548197a3e010e9fbc2ea71149 10.1/RPMS/libxorg-x11-6.7.0-4.1.101mdk.i586.rpm
1bc9665c6452c49fa46042c0caea4173 10.1/RPMS/libxorg-x11-devel-6.7.0-4.1.101mdk.i586.rpm
d4205cb6049e1c9a17e4adde46cd0b1e 10.1/RPMS/libxorg-x11-static-devel-6.7.0-4.1.101mdk.i586.rpm
cdd0a0208665969678a582ff0510fb30 10.1/RPMS/xorg-x11-100dpi-fonts-6.7.0-4.1.101mdk.i586.rpm
3ed132c742ae85b758bca6ae8946697f 10.1/RPMS/xorg-x11-6.7.0-4.1.101mdk.i586.rpm
8e0d431d39cd23c7a7170ac85d942085 10.1/RPMS/xorg-x11-75dpi-fonts-6.7.0-4.1.101mdk.i586.rpm
9e4de7087526cfab9064338f68b414c2 10.1/RPMS/xorg-x11-Xnest-6.7.0-4.1.101mdk.i586.rpm
16f55b7a396c448330a6da14267bc36d 10.1/RPMS/xorg-x11-Xvfb-6.7.0-4.1.101mdk.i586.rpm
c2cadaa5f12809921e0fcef07f23a09c 10.1/RPMS/xorg-x11-cyrillic-fonts-6.7.0-4.1.101mdk.i586.rpm
5413e8cf30c44fc0b3f19edddfbf36cc 10.1/RPMS/xorg-x11-doc-6.7.0-4.1.101mdk.i586.rpm
a48ea891496e7dd9e90b75b8533bf644 10.1/RPMS/xorg-x11-glide-module-6.7.0-4.1.101mdk.i586.rpm
2e856c46d93eb4a8c61cc113848b9f13 10.1/RPMS/xorg-x11-server-6.7.0-4.1.101mdk.i586.rpm
16377a6df0cbd7b70bf8425a92be4fb5 10.1/RPMS/xorg-x11-xfs-6.7.0-4.1.101mdk.i586.rpm
b830086d5c85c3297b90e2319fe4d663 10.1/SRPMS/xorg-x11-6.7.0-4.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
91bdf41a37091ef6c5db0f8f983373ca x86_64/10.1/RPMS/lib64xorg-x11-6.7.0-4.1.101mdk.x86_64.rpm
ce79ba874bbf696d3652cc59379e4751 x86_64/10.1/RPMS/lib64xorg-x11-devel-6.7.0-4.1.101mdk.x86_64.rpm
df055cecac43947a1c87f894d27aedf7 x86_64/10.1/RPMS/lib64xorg-x11-static-devel-6.7.0-4.1.101mdk.x86_64.rpm
fab3bb69bd7b40d4f6af1107d9b613af x86_64/10.1/RPMS/xorg-x11-100dpi-fonts-6.7.0-4.1.101mdk.x86_64.rpm
7926b68ab6a146d2ac07bad0c03b9be5 x86_64/10.1/RPMS/xorg-x11-6.7.0-4.1.101mdk.x86_64.rpm
1d1661463b9085ebf16880e46378498e x86_64/10.1/RPMS/xorg-x11-75dpi-fonts-6.7.0-4.1.101mdk.x86_64.rpm
c358625db3dbd9b19b1e6d074e64b4e4 x86_64/10.1/RPMS/xorg-x11-Xnest-6.7.0-4.1.101mdk.x86_64.rpm
15c2eb87dde073bb0f367c1c45e3dd6d x86_64/10.1/RPMS/xorg-x11-Xvfb-6.7.0-4.1.101mdk.x86_64.rpm
1a598408d5bfacabdf1683d0ea0fcef9 x86_64/10.1/RPMS/xorg-x11-cyrillic-fonts-6.7.0-4.1.101mdk.x86_64.rpm
1a0706ff7c8fcb28c8b168acd5582118 x86_64/10.1/RPMS/xorg-x11-doc-6.7.0-4.1.101mdk.x86_64.rpm
264081cd33c2da5c039c06389af32fbf x86_64/10.1/RPMS/xorg-x11-server-6.7.0-4.1.101mdk.x86_64.rpm
b383016c7b278de82bcb4471b6132d58 x86_64/10.1/RPMS/xorg-x11-xfs-6.7.0-4.1.101mdk.x86_64.rpm
b830086d5c85c3297b90e2319fe4d663 x86_64/10.1/SRPMS/xorg-x11-6.7.0-4.1.101mdk.src.rpm

Vendor URL:  www.x.org/pub/X11R6.8.0/patches/README.xorg-CVE-2004-0687-0688.patch (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Mandriva/Mandrake)
Underlying OS Comments:  10.1

Message History:   This archive entry is a follow-up to the message listed below.
Sep 16 2004 libXpm Integer and Stack Overflows May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Security Announce] MDKSA-2004:124 - Updated xorg-x11 packages


This is a multi-part message in MIME format...

------------=_1099604193-1263-2558

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           xorg-x11
 Advisory ID:            MDKSA-2004:124
 Date:                   November 4th, 2004

 Affected versions:	 10.1
 ______________________________________________________________________

 Problem Description:

 Chris Evans found several stack and integer overflows in the libXpm code 
 of X.Org/XFree86:
 
 Stack overflows (CAN-2004-0687):
 
 Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code 
 leads to a stack based overflow (parse.c).
 
 Stack overflow reading pixel values in ParseAndPutPixels (create.c) as
 well as ParsePixels (parse.c).
 
 Integer Overflows (CAN-2004-0688):
 
 Integer overflow allocating colorTable in xpmParseColors (parse.c) -
 probably a crashable but not exploitable offence.
 
 Additionally, the xorg-x11 packages have been patched with a backport from
 cvs to resolve a failure running the lsb-test-vsw4 test suite, which will 
 soon be required for LSB2.0 compliance.
 
 The updated packages have patches from Chris Evans and Matthieu Herrb
 to address these vulnerabilities.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.1:
 2b93b8d548197a3e010e9fbc2ea71149  10.1/RPMS/libxorg-x11-6.7.0-4.1.101mdk.i586.rpm
 1bc9665c6452c49fa46042c0caea4173  10.1/RPMS/libxorg-x11-devel-6.7.0-4.1.101mdk.i586.rpm
 d4205cb6049e1c9a17e4adde46cd0b1e  10.1/RPMS/libxorg-x11-static-devel-6.7.0-4.1.101mdk.i586.rpm
 cdd0a0208665969678a582ff0510fb30  10.1/RPMS/xorg-x11-100dpi-fonts-6.7.0-4.1.101mdk.i586.rpm
 3ed132c742ae85b758bca6ae8946697f  10.1/RPMS/xorg-x11-6.7.0-4.1.101mdk.i586.rpm
 8e0d431d39cd23c7a7170ac85d942085  10.1/RPMS/xorg-x11-75dpi-fonts-6.7.0-4.1.101mdk.i586.rpm
 9e4de7087526cfab9064338f68b414c2  10.1/RPMS/xorg-x11-Xnest-6.7.0-4.1.101mdk.i586.rpm
 16f55b7a396c448330a6da14267bc36d  10.1/RPMS/xorg-x11-Xvfb-6.7.0-4.1.101mdk.i586.rpm
 c2cadaa5f12809921e0fcef07f23a09c  10.1/RPMS/xorg-x11-cyrillic-fonts-6.7.0-4.1.101mdk.i586.rpm
 5413e8cf30c44fc0b3f19edddfbf36cc  10.1/RPMS/xorg-x11-doc-6.7.0-4.1.101mdk.i586.rpm
 a48ea891496e7dd9e90b75b8533bf644  10.1/RPMS/xorg-x11-glide-module-6.7.0-4.1.101mdk.i586.rpm
 2e856c46d93eb4a8c61cc113848b9f13  10.1/RPMS/xorg-x11-server-6.7.0-4.1.101mdk.i586.rpm
 16377a6df0cbd7b70bf8425a92be4fb5  10.1/RPMS/xorg-x11-xfs-6.7.0-4.1.101mdk.i586.rpm
 b830086d5c85c3297b90e2319fe4d663  10.1/SRPMS/xorg-x11-6.7.0-4.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 91bdf41a37091ef6c5db0f8f983373ca  x86_64/10.1/RPMS/lib64xorg-x11-6.7.0-4.1.101mdk.x86_64.rpm
 ce79ba874bbf696d3652cc59379e4751  x86_64/10.1/RPMS/lib64xorg-x11-devel-6.7.0-4.1.101mdk.x86_64.rpm
 df055cecac43947a1c87f894d27aedf7  x86_64/10.1/RPMS/lib64xorg-x11-static-devel-6.7.0-4.1.101mdk.x86_64.rpm
 fab3bb69bd7b40d4f6af1107d9b613af  x86_64/10.1/RPMS/xorg-x11-100dpi-fonts-6.7.0-4.1.101mdk.x86_64.rpm
 7926b68ab6a146d2ac07bad0c03b9be5  x86_64/10.1/RPMS/xorg-x11-6.7.0-4.1.101mdk.x86_64.rpm
 1d1661463b9085ebf16880e46378498e  x86_64/10.1/RPMS/xorg-x11-75dpi-fonts-6.7.0-4.1.101mdk.x86_64.rpm
 c358625db3dbd9b19b1e6d074e64b4e4  x86_64/10.1/RPMS/xorg-x11-Xnest-6.7.0-4.1.101mdk.x86_64.rpm
 15c2eb87dde073bb0f367c1c45e3dd6d  x86_64/10.1/RPMS/xorg-x11-Xvfb-6.7.0-4.1.101mdk.x86_64.rpm
 1a598408d5bfacabdf1683d0ea0fcef9  x86_64/10.1/RPMS/xorg-x11-cyrillic-fonts-6.7.0-4.1.101mdk.x86_64.rpm
 1a0706ff7c8fcb28c8b168acd5582118  x86_64/10.1/RPMS/xorg-x11-doc-6.7.0-4.1.101mdk.x86_64.rpm
 264081cd33c2da5c039c06389af32fbf  x86_64/10.1/RPMS/xorg-x11-server-6.7.0-4.1.101mdk.x86_64.rpm
 b383016c7b278de82bcb4471b6132d58  x86_64/10.1/RPMS/xorg-x11-xfs-6.7.0-4.1.101mdk.x86_64.rpm
 b830086d5c85c3297b90e2319fe4d663  x86_64/10.1/SRPMS/xorg-x11-6.7.0-4.1.101mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBip5OmqjQ0CJFipgRAooCAJ45YPz22l3dVzmFcp8aTsgcuS2d7wCeO+cj
DgxxGK1Ooly8NiZ1134ye1E=
=/XdX
-----END PGP SIGNATURE-----


------------=_1099604193-1263-2558
Content-Type: text/plain; name="message.footer"
Content-Disposition: inline; filename="message.footer"
Content-Transfer-Encoding: 8bit

____________________________________________________
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________

------------=_1099604193-1263-2558--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC