Debians sikkerhedsbulletin

DSA-628-1 imlib2 -- heltalsoverløb

Rapporteret den:

6. jan 2005

Berørte pakker:

imlib2

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2004-1026, CVE-2004-1025.

Yderligere oplysninger:

Pavel Kankovsky har opdaget at flere overløb der blev fundet i biblioteket libXpm også fandtas i imlib og imlib2, der er billedbehandlingsbiblioteker til X11. En angriber kunne med omhu fremstille en billedfil på en sådan måde, at den fik et program der var linket med imlib eller imlib2 til at udføre vilkårlig kode når filen blev åbnet af et offer. Projektet Common Vulnerabilities and Exposures har fundet frem til følende problemer:

CAN-2004-1025
Flere heap-baserede bufferoverløb. Denne kode findes ikke i imlib2.
CAN-2004-1026
Flere heltalsoverløb biblioteket imlib.

I den stabile distribution (woody) er disse problemer rettet i version 1.0.5-2woody2.

I den ustabile distribution (sid) vil disse problemer snart blive rettet.

Vi anbefaler at du opgraderer dine imlib2-pakker.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:: http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.0.5-2woody2.dsc; http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.0.5-2woody2.diff.gz; http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.0.5.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_alpha.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_arm.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_i386.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_ia64.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_hppa.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_m68k.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_mips.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_mipsel.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_powerpc.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_s390.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.0.5-2woody2_sparc.deb; http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.0.5-2woody2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.