SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Imlib Vendors:   [Multiple Authors/Vendors]
imlib _LoadBMP() Function Endless Loop Lets Remote Users Deny Service
SecurityTracker Alert ID:  1018332
SecurityTracker URL:  http://securitytracker.com/id/1018332
CVE Reference:   CVE-2007-3568   (Links to External Site)
Updated:  May 6 2008
Original Entry Date:  Jul 3 2007
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.9.15 and prior versions
Description:   A vulnerability was reported in imlib. A remote user can cause denial of service conditions.

A remote user can create a specially crafted BMP file that, when loaded by the target user, will cause the _LoadBMP() to enter an endless loop.

This vulnerability was discovered using Beyond Security's beSTORM BMP file fuzzer, available at:

http://www.beyondsecurity.com/bestorm_overview.html

Impact:   A remote user can create a file that, when loaded by the target user, will cause denial of service conditions.
Solution:   No solution was available at the time of this entry.
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [UNIX] ImLib _LoadBMP Endless Loop (BPP, biBitCount)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  ImLib _LoadBMP Endless Loop (BPP, biBitCount)
------------------------------------------------------------------------


SUMMARY

Imlib is "an advanced replacement library for libraries like libXpm that 
provides many more features with much greater flexibility and speed. It 
was originally written for E, now used by the GNOME Project". ImLib's 
_LoadBMP function contains a security vulnerability that allows attackers 
to cause the function to enter into an endless loop by providing the 
function with a malformed BMP file.

DETAILS

Vulnerable Systems:
 * imlib version 1.9.15 and prior

The _LoadBMP function reads from the BMP file the value of BPP (Bits Per 
Page) and uses that value to know how many bits need to be read at each 
step of its main file processing loop. The value of 0x0000 (zero) which is 
invalid, is not properly detected as the line responsible:
if (bpp != 1 && bpp != 4 && bpp != 8 && bpp && 16 && bpp != 24 && bpp != 
32)
{
fprintf(stderr, "IMLIB ERROR: unknown bitdepth in file\n");
return NULL;
}


Incorrectly references && bpp && where it shouldn't have probably 
referenced it at all to prevent the value of 0x0000 from passing.

Since the bpp value of 0x0000 is used, the loop:
  for (line = (*h - 1); line >= 0; line--)
    {
      linepos = 0;
      for (column = 0; column < *w;)
    {

Will never advanced as no case inside the loop matches the bpp value of 
0x0000.

Workaround:
Remove the && bpp && from the if statement found at line 648.

Vendor status:
We have tried to contact the security person responsible for the package 
in Debian, but they haven't addressed it. We have sent an email to the 
author of imlib on 2007-07-03 but the product appears to be no longer 
maintained by the author as the last release was released on 2004-09-24.

Recreate:
You can recreate the issue by using beSTORM's BMP file fuzzer available 
from:  <http://www.beyondsecurity.com/bestorm_overview.html> 
http://www.beyondsecurity.com/bestorm_overview.html


ADDITIONAL INFORMATION

The information has been provided by beSTORM.
The original article can be found at:  
<http://www.beyondsecurity.com/bestorm_overview.html> 
http://www.beyondsecurity.com/bestorm_overview.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages. 




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC