imlib2: CVE-2008-2426 buffer overflows in xpm and pnm loader

Debian Bug report logs - #483816
imlib2: CVE-2008-2426 buffer overflows in xpm and pnm loader

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: imlib2: CVE-2008-2426 buffer overflows in xpm and pnm loader

Date: Sat, 31 May 2008 14:08:25 +0200

[Message part 1 (text/plain, inline)]

Package: libimlib2
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libimlib2.


CVE-2008-2426[0]:
| Secunia Research has discovered two vulnerabilities in imlib2, which
| can be exploited by malicious people to cause a DoS (Denial of
| Service) or compromise an application using the library.
| 
| 1) A boundary error exists within the "load()" function in
| src/modules/loaders/loader_pnm.c when processing the header of a
| PNM image file. This can be exploited to cause a stack-based buffer
| overflow by e.g. tricking a user into opening a specially crafted
| PNM image in an application using the imlib2 library.
| 
| Successful exploitation allows execution of arbitrary code.
| 
| 2) A boundary error exists within the "load()" function in
| src/modules/loader_xpm.c when processing an XPM image file. This can
| be exploited to cause a stack-based buffer overflow by e.g. tricking
| a user into opening a specially crafted XPM image with an application
| using the imlib2 library.

Patches:
https://bugzilla.redhat.com/attachment.cgi?id=307178
https://bugzilla.redhat.com/attachment.cgi?id=307177

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2426
    http://security-tracker.debian.net/tracker/CVE-2008-2426

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 483816@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 483816@bugs.debian.org

Subject: intent to NMU

Date: Sat, 31 May 2008 15:44:11 +0200

[Message part 1 (text/plain, inline)]

Hi,
as the maintainer of imlib2 is MIA I'm going to upload a 
0-day NMU.

debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/imlib2-1.4.0-1_1.4.0-1.1.patch

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[imlib2-1.4.0-1_1.4.0-1.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #15 received at 483816-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 483816-close@bugs.debian.org

Subject: Bug#483816: fixed in imlib2 1.4.0-1.1

Date: Sat, 31 May 2008 14:02:02 +0000

Source: imlib2
Source-Version: 1.4.0-1.1

We believe that the bug you reported is fixed in the latest version of
imlib2, which is due to be installed in the Debian FTP archive:

imlib2_1.4.0-1.1.diff.gz
  to pool/main/i/imlib2/imlib2_1.4.0-1.1.diff.gz
imlib2_1.4.0-1.1.dsc
  to pool/main/i/imlib2/imlib2_1.4.0-1.1.dsc
libimlib2-dev_1.4.0-1.1_amd64.deb
  to pool/main/i/imlib2/libimlib2-dev_1.4.0-1.1_amd64.deb
libimlib2_1.4.0-1.1_amd64.deb
  to pool/main/i/imlib2/libimlib2_1.4.0-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 483816@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated imlib2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 31 May 2008 14:14:50 +0200
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source amd64
Version: 1.4.0-1.1
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <ljlane@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libimlib2  - powerful image loading and rendering library
 libimlib2-dev - Imlib2 development files
Closes: 483816
Changes: 
 imlib2 (1.4.0-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix stack-based buffer overflow in pnm and xpm image loader modules
     leading to arbitrary code execution (CVE-2008-2426; Closes: #483816).
Checksums-Sha1: 
 d2309a8de116c0c280667fb069113359809b0f54 1118 imlib2_1.4.0-1.1.dsc
 2657e5b2c7bba91763e2049d05ceeb39a357de91 56178 imlib2_1.4.0-1.1.diff.gz
 37fec85132ad667a5f283b7a31481ee1f9f7be81 212816 libimlib2_1.4.0-1.1_amd64.deb
 15adcd00cbe4d379a1959c82195172555f1ef774 365402 libimlib2-dev_1.4.0-1.1_amd64.deb
Checksums-Sha256: 
 6d1ea007c2912e7c21660e1450421d0cbe6574799cd8c8fceb947eebd65cb0e1 1118 imlib2_1.4.0-1.1.dsc
 86a1e22868b21050fd6cceca04fb7fa7652983205cea9b552188fb0a970b8dac 56178 imlib2_1.4.0-1.1.diff.gz
 568af174670db60f5f26d1180a94085ed65cc393833b78ce4b767ac06347ca17 212816 libimlib2_1.4.0-1.1_amd64.deb
 157714bd88cd60c9cadec1be2a9a814bc7766448991810d10789bbd684994482 365402 libimlib2-dev_1.4.0-1.1_amd64.deb
Files: 
 5c6377c69f66ede6299faf9258cfc13b 1118 libs optional imlib2_1.4.0-1.1.dsc
 3e247df7b87409d012e2458f748f5384 56178 libs optional imlib2_1.4.0-1.1.diff.gz
 81d1332e0c1047e91a2c80c39bf629e7 212816 libs optional libimlib2_1.4.0-1.1_amd64.deb
 2033c2107302c7a22e3d062240f42867 365402 libdevel optional libimlib2-dev_1.4.0-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIQVa6HYflSXNkfP8RAgSaAJ4s+eVmfzrdOD+10FNVbuaLqa68KACfdB9V
3BpoLtRM0aEXpY45sTJqLME=
=63i6
-----END PGP SIGNATURE-----

Message #20 received at 483816@bugs.debian.org (full text, mbox, reply):

From: "Laurence J. Lane" <ljlane@ljlane.net>

To: "Nico Golde" <nion@debian.org>, 483816@bugs.debian.org

Subject: Re: Bug#483816: intent to NMU

Date: Sat, 31 May 2008 22:01:40 -0400

On Sat, May 31, 2008 at 9:44 AM, Nico Golde <nion@debian.org> wrote:

> as the maintainer of imlib2 is MIA I'm going to upload a
> 0-day NMU.

Thanks for the NMU, but the 12 hour stretch from your initial report
until the NMU is quite far from stating someone is MIA.

Message #25 received at 483816@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: "Laurence J. Lane" <ljlane@ljlane.net>

Cc: 483816@bugs.debian.org

Subject: Re: Bug#483816: intent to NMU

Date: Sun, 1 Jun 2008 11:33:53 +0200

[Message part 1 (text/plain, inline)]

Hi Laurence,
* Laurence J. Lane <ljlane@ljlane.net> [2008-06-01 04:00]:
> On Sat, May 31, 2008 at 9:44 AM, Nico Golde <nion@debian.org> wrote:
> > as the maintainer of imlib2 is MIA I'm going to upload a
> > 0-day NMU.
> 
> Thanks for the NMU, but the 12 hour stretch from your initial report
> until the NMU is quite far from stating someone is MIA.

X-MIA: Status is busy for 593d (was mailed until 565d ago); Prod-level is nice for 586d
    2006-08-14: nice; eterm, enlightenment and iptables in bad shape
    2006-10-16: uploaded iptables and eterm ; heso wants to hijack enlightenment  {parse error}
    2006-10-23: nice ; started cleaning up bugs for eterm
    2006-11-21: -; the iptables backporter wonders about non-documented changes {from waja@cyconet.org}

Thats not far from stating you are MIA. Contact the MIA team to update this then.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 483816@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Nico Golde <nion@debian.org>, 483816@bugs.debian.org

Cc: "Laurence J. Lane" <ljlane@ljlane.net>

Subject: Re: Bug#483816: intent to NMU

Date: Sun, 01 Jun 2008 15:53:28 +0200

Nico Golde wrote:
> Hi Laurence,
> * Laurence J. Lane <ljlane@ljlane.net> [2008-06-01 04:00]:
>> On Sat, May 31, 2008 at 9:44 AM, Nico Golde <nion@debian.org> wrote:
>>> as the maintainer of imlib2 is MIA I'm going to upload a
>>> 0-day NMU.
>> Thanks for the NMU, but the 12 hour stretch from your initial report
>> until the NMU is quite far from stating someone is MIA.
> 
[private: snipped]
> 
> Thats not far from stating you are MIA. Contact the MIA team to update this then.

Hmm, it is *far* from stating that he is MIA. As you can see there is
only a nice message sent twice which means it's only the very first
stage which only means some people were concerned...

There are at least 2 extra stages (inactive, unresponsive), normally
even 3 (prod before inactive) before someone is declared MIA...

This is all explained in the README file, though if you don't want to
look into the details it's probably better to ask the MIA Team before
jumping to conclusions.

You could also see that the information you are referring to is from
2006 and no action has been done on 2007 which means there was no real
concern in 2007 anymore.

Cheers

Luk

PS: The MIA information is supposed to be private and shouldn't be
copied to this bug report...

Message #35 received at 483816@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Luk Claes <luk@debian.org>

Cc: 483816@bugs.debian.org, "Laurence J. Lane" <ljlane@ljlane.net>

Subject: Re: Bug#483816: intent to NMU

Date: Sun, 1 Jun 2008 16:05:27 +0200

[Message part 1 (text/plain, inline)]

Hi Luk,
* Luk Claes <luk@debian.org> [2008-06-01 15:56]:
> Nico Golde wrote:
> > * Laurence J. Lane <ljlane@ljlane.net> [2008-06-01 04:00]:
> >> On Sat, May 31, 2008 at 9:44 AM, Nico Golde <nion@debian.org> wrote:
> >>> as the maintainer of imlib2 is MIA I'm going to upload a
> >>> 0-day NMU.
> >> Thanks for the NMU, but the 12 hour stretch from your initial report
> >> until the NMU is quite far from stating someone is MIA.
> > 
> [private: snipped]
> > 
> > Thats not far from stating you are MIA. Contact the MIA team to update this then.
> 
> Hmm, it is *far* from stating that he is MIA. As you can see there is
> only a nice message sent twice which means it's only the very first
> stage which only means some people were concerned...

Which should be enough to justify a security upload without 
waiting for further maintainer action in my opinion.

> There are at least 2 extra stages (inactive, unresponsive), normally
> even 3 (prod before inactive) before someone is declared MIA...
> 
> This is all explained in the README file, though if you don't want to
> look into the details it's probably better to ask the MIA Team before
> jumping to conclusions.

Thanks and sorry for my conclusion about his status. I 
didn't even know about that README file. Maybe the section 
in the developers reference stating "If you are interested 
in working in the MIA team, please have a look at the README 
file" should be adapted to reflect that everyone dealing 
with MIA information should read that.

> You could also see that the information you are referring to is from
> 2006 and no action has been done on 2007 which means there was no real
> concern in 2007 anymore.

This irritates me, don't you add some kind of "OK again" 
message to this?

> PS: The MIA information is supposed to be private and shouldn't be
> copied to this bug report...

As my post hardly included any sensitive data I didn't see a 
problem with that. Anyway, won't happen again...
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #40 received at 483816@bugs.debian.org (full text, mbox, reply):

From: "Laurence J. Lane" <ljlane@ljlane.net>

To: "Nico Golde" <nion@debian.org>, 483816@bugs.debian.org

Subject: Re: Bug#483816: intent to NMU

Date: Sun, 1 Jun 2008 17:00:59 -0400

On Sun, Jun 1, 2008 at 10:05 AM, Nico Golde <nion@debian.org> wrote:

> Which should be enough to justify a security upload without
> waiting for further maintainer action in my opinion.

For the record, I believe the fact that it is a security bug
(especially one complemented with a CVE) is justificationfor a NMU
by the security team. I believe there's some way for maintainers to
voluntarily mark packages as such, but it should be the default.
That's just my opinion, of course.

Send a report that this bug log contains spam.