[UNIX] xloadimage Multiple Vulnerabilities (Buffer Overflow, Command Execution)

From: SecuriTeam (support_at_securiteam.com)
Date: 03/22/05

  • Next message: SecuriTeam: "[EXPL] phpBB UID Exploit (Perl Exploit 2)" 
    To: list@securiteam.com
Date: 22 Mar 2005 17:55:15 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      xloadimage Multiple Vulnerabilities (Buffer Overflow, Command Execution)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.xfree86.org> Xloadimage "displays images in an X11 window,
    loads them onto the root window, or writes them into a file".

    xloadimage has been found to contain multiple buffer overflows and command
    execution vulnerabilities that would allow an attacker to cause the user
    to execute arbitrary commands via malformed images.

    DETAILS

    Vulnerable Systems:
     * xloadimage version 4.0 (also known as xli 1.16) and prior

    Immune Systems:
     * xloadimage version 4.1 (also known as xli 1.17)

    Multiple Buffer Overflow:
    Multiple buffer overflow in xloadimage allow remote attackers to execute
    arbitrary code by exploiting "buffer management errors" caused by certain
    image properties, some of which may be related to integer overflows in PPM
    files.

    Under Linux the buffer overflows allow remote attackers to execute
    arbitrary code via a FACES format image if they contain a long Firstname
    or Lastname field.

    All the buffer overflows are caused by lack of boundary checking of
    integer values given from the image properties.

    Command Execution:
    Attackers can execute arbitrary commands by supplying meta-characters in
    the filenames used by compressed images, as these are not properly quoted
    when they are used in the gunzip command.

    Vendor Status:
    The problem have been fixed with xloadimage version 4.1 and xli version
    1.17.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0775>
    CAN-2001-0775
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0638>
    CAN-2005-0638
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0639>
    CAN-2005-0639

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:joey@infodrom.org> Martin
    Schulze .

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] phpBB UID Exploit (Perl Exploit 2)"

    Relevant Pages