imlib2库多个栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1186671 漏洞类型 缓冲区溢出
发布时间 2008-05-29 更新时间 2008-12-30
CVE编号 CVE-2008-2426 CNNVD-ID CNNVD-200806-023
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/29417
https://cxsecurity.com/issue/WLB-2008060081
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-023
|漏洞详情
imlib2是一个通用的图形加载和渲染库。IMlib2库的src/modules/loaders/loader_pnm.c文件中的load()函数在处理PNM图形文件头时存在栈溢出,src/modules/loader_xpm.c文件的load()函数在处理XPM图形文件时存在栈溢出,如果用户受骗通过使用了imlib2库的应用程序打开了特制的图形文件的话,就可能触发这些溢出,导致执行任意指令。
|漏洞EXP
======================================================================

Secunia Research 29/05/2008

- imlib2 PNM and XPM Buffer Overflows -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software

* imlib2 1.4.0

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity

Rating: Highly critical
Impact: System access
Where:  Remote

====================================================================== 
3) Vendor's Description of Software

"Imlib 2 is the successor to Imlib. It is NOT a newer version -- it
is a completely new library. Imlib 2 can be installed alongside
Imlib 1.x without any problems since they are effectively different
libraries which have very similar functionality."

Product Link:
http://enlightenment.org

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered two vulnerabilities in imlib2, which
can be exploited by malicious people to cause a DoS (Denial of
Service) or compromise an application using the library.

1) A boundary error exists within the "load()" function in
src/modules/loaders/loader_pnm.c when processing the header of a
PNM image file. This can be exploited to cause a stack-based buffer
overflow by e.g. tricking a user into opening a specially crafted
PNM image in an application using the imlib2 library.

Successful exploitation allows execution of arbitrary code.

2) A boundary error exists within the "load()" function in
src/modules/loader_xpm.c when processing an XPM image file. This can
be exploited to cause a stack-based buffer overflow by e.g. tricking
a user into opening a specially crafted XPM image with an application
using the imlib2 library.

Successful exploitation may allow execution of arbitrary code.

====================================================================== 
5) Solution

Fixed in the CVS repository.

====================================================================== 
6) Time Table

27/05/2008 - Vendor notified.
27/05/2008 - Vendor response.
29/05/2008 - Public disclosure.

====================================================================== 
7) Credits

Discovered by Stefan Cornelius, Secunia Research.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2008-2426 for these vulnerabilities.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below 
to see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

====================================================================== 
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-25/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================
|受影响的产品
Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 Ubuntu Ubuntu L
|参考资料

来源:FEDORA
名称:FEDORA-2008-4950
链接:https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00113.html
来源:FEDORA
名称:FEDORA-2008-4871
链接:https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00052.html
来源:FEDORA
名称:FEDORA-2008-4842
链接:https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00030.html
来源:XF
名称:imlib2-pnm-xpm-bo(42732)
链接:http://xforce.iss.net/xforce/xfdb/42732
来源:UBUNTU
名称:USN-697-1
链接:http://www.ubuntu.com/usn/USN-697-1
来源:BID
名称:29417
链接:http://www.securityfocus.com/bid/29417
来源:BUGTRAQ
名称:20080529SecuniaResearch:imlib2PNMandXPMBufferOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/492739/100/0/threaded
来源:MANDRIVA
名称:MDVSA-2008:123
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2008:123
来源:GENTOO
名称:GLSA-200806-03
链接:http://www.gentoo.org/security/en/glsa/glsa-200806-03.xml
来源:VUPEN
名称:ADV-2008-1700
链接:http://www.frsirt.com/english/advisories/2008/1700
来源:DEBIAN
名称:DSA-1594
链接:http://www.debian.org/security