Bugtraq mailing list archives
[ GLSA 200503-05 ] xli, xloadimage: Multiple vulnerabilities
From: Thierry Carrez <koon () gentoo org>
Date: Wed, 02 Mar 2005 19:58:16 +0100
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200503-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: xli, xloadimage: Multiple vulnerabilities Date: March 02, 2005 Bugs: #79762 ID: 200503-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== xli and xloadimage are vulnerable to multiple issues, potentially leading to the execution of arbitrary code. Background ========== xli and xloadimage are X11 utilities for displaying and manipulating a wide range of image formats. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-gfx/xloadimage < 4.1-r2 >= 4.1-r2 2 media-gfx/xli < 1.17.0-r1 >= 1.17.0-r1 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== Tavis Ormandy of the Gentoo Linux Security Audit Team has reported that xli and xloadimage contain a flaw in the handling of compressed images, where shell meta-characters are not adequately escaped. Rob Holland of the Gentoo Linux Security Audit Team has reported that an xloadimage vulnerability in the handling of Faces Project images discovered by zen-parse in 2001 remained unpatched in xli. Additionally, it has been reported that insufficient validation of image properties in xli could potentially result in buffer management errors. Impact ====== Successful exploitation would permit a remote attacker to execute arbitrary shell commands, or arbitrary code with the privileges of the xloadimage or xli user. Workaround ========== There is no known workaround at this time. Resolution ========== All xli users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/xli-1.17.0-r1" All xloadimage users should also upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/xloadimage-4.1-r2" References ========== [ 1 ] CAN-2001-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0775 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200503-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [ GLSA 200503-05 ] xli, xloadimage: Multiple vulnerabilities Thierry Carrez (Mar 02)