[UNIX] xloadimage Multiple Vulnerabilities (Buffer Overflow, Command Execution)

• Previous message: SecuriTeam: "[EXPL] FreeCiv Server DoS Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 22 Mar 2005 17:55:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  xloadimage Multiple Vulnerabilities (Buffer Overflow, Command Execution)
------------------------------------------------------------------------

SUMMARY

 <http://www.xfree86.org> Xloadimage "displays images in an X11 window,
loads them onto the root window, or writes them into a file".

xloadimage has been found to contain multiple buffer overflows and command
execution vulnerabilities that would allow an attacker to cause the user
to execute arbitrary commands via malformed images.

DETAILS

Vulnerable Systems:
 * xloadimage version 4.0 (also known as xli 1.16) and prior

Immune Systems:
 * xloadimage version 4.1 (also known as xli 1.17)

Multiple Buffer Overflow:
Multiple buffer overflow in xloadimage allow remote attackers to execute
arbitrary code by exploiting "buffer management errors" caused by certain
image properties, some of which may be related to integer overflows in PPM
files.

Under Linux the buffer overflows allow remote attackers to execute
arbitrary code via a FACES format image if they contain a long Firstname
or Lastname field.

All the buffer overflows are caused by lack of boundary checking of
integer values given from the image properties.

Command Execution:
Attackers can execute arbitrary commands by supplying meta-characters in
the filenames used by compressed images, as these are not properly quoted
when they are used in the gunzip command.

Vendor Status:
The problem have been fixed with xloadimage version 4.1 and xli version
1.17.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0775>
CAN-2001-0775
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0638>
CAN-2005-0638
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0639>
CAN-2005-0639

ADDITIONAL INFORMATION

The information has been provided by <mailto:joey@infodrom.org> Martin
Schulze .

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] FreeCiv Server DoS Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]