O-222: libXpm Library Contains Multiple Integer Overflow Vulnerabilities

O-222: libXpm Library Contains Multiple Integer Overflow Vulnerabilities Privacy and Legal Notice INFORMATION BULLETIN O-222: libXpm Library Contains Multiple Integer Overflow Vulnerabilities [US-CERT Vulnerability Note VU#537878] October 1, 2004 17:00 GMT
[REVISED 07 Oct 2004]
[REVISED 11 Oct 2004]
[REVISED 12 Oct 2004]
[REVISED 18 Oct 2004]
[REVISED 15 Nov 2004]
[REVISED 17 Nov 2004]
[REVISED 02 Dec 2004]
[REVISED 20 Dec 2004]
[REVISED 29 Dec 2004]
[REVISED 14 Jan 2005]
[REVISED 19 Jan 2005]
[REVISED 03 Feb 2005]
[REVISED 10 May 2005]
[REVISED 21 Sep 2005]
[REVISED 25 May 2006]


PROBLEM:	libXpm and libXpm image parsing code contains multiple integer overflow vulnerabilities.
PLATFORM:	X11 Version 6.8.0 Debian GNU/Linux 3.0 alias woody Solaris 7, 8, 9 (SPARC and x86 Platforms) Solaris, Java Desktop System (JDS) Linux Sun Java Desktop (JDS) 2003 without the updated RPMs (patch-9367) Linux Sun Java Desktop (JDS) Release 2 without the updated RMPs (patch-9367) HP Tru64 UNIX V5.1B-2/PK4, HP Tru64 UNIX V5.1B PK3, HP Tru64 UNIX V4.0G PK4, HP Tru64 UNIX V4.0F PK8 Red Hat Desktop (v.3) Red Hat Enterprise Linux AS, ES, and WS v.3 Red Hat Enterprise Linux AS, ES, and WS v.2.1 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 2 SGI ProPack 3 Service Pack 3 for SGI Altix family of systems
DAMAGE:	May allow an attacker to cause a denial-of-service condition or execute arbitrary code.
SOLUTION:	Apply a patch or upgrade to the appropriate version.

VULNERABILITY ASSESSMENT:	The risk is LOW. An attacker must entice a user to open a malicious file with an application that uses a vulnerable libXpm. An attacker can cause a denial of service or execute arbitrary code with the privileges of the running application.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/o-222.shtml
ORIGINAL BULLETIN:	http://www.kb.cert.org/vuls/id/537878
ADDITIONAL LINKS:	http://www.kb.cert.org/vuls/id/882750 Debian Security Advisory DSA 560-1 http://www.debian.org/security/2004/dsa-560 Debian Security Advisory DSA 561-1 http://www.debian.org/security/2004/dsa-561 Sun Alert ID: 57653 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-57653-1&searchclause= Sun Alert ID: 57652 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-57652-1&searchclause= Sun Alert ID: 57701 (See also CIAC Bulletin P-069) http://sunsolve.sun.com/search/document.do?assetkey=1-26-57701-1&searchclause=security SGI #200412-02-01-U http://www.sgi.com/support/security/advisories.html Visit your HP Subscription Service for: HP Security Bulletin HPSBTU01093 / SSRT4831 Red Hat RHSA-2004:537 for "openmotif" https://rhn.redhat.com/errata/RHSA-2004-537.html Red Hat RHSA-2004:610 for XFree86 fixes https://rhn.redhat.com/errata/RHSA-2004-610.html Red Hat RHSA-2004:612 for XFree86 fixes https://rhn.redhat.com/errata/RHSA-2004-612.html Red Hat RHSA-2005:004 https://rhn.redhat.com/errata/RHSA-2005-004.html SGI #20050102-01-U http://www.sgi.com/support/security/advisories.html Visit Hewlett-Packard Subscription Service for: HPSBTU01228 SSRT5988 rev.1 Visit Hewlett-Packard Subscription Service for: HPSBUX02119 SSRT4848 rev.1
CVE/CAN:	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0687 CAN-2004-0688 CAN-2004-0914

REVISION HISTORY:
10/07/2004 - added link to Debian Security Advisory DSA 560-1 that provides
patches for these vulnerabilities.
10/11/2004 - added link to Debian Security Advisory DSA 561-1 that provides
patches for these vulnerabilities.
10/12/2004 - added link to Sun Alert ID: 57653 that provides patches for these
vulnerabilities.
10/18/2004 - added a link to Sun Alert ID: 57652 that provides patches for these
vulnerabilities.
11/15/2004 - added reference to HP Security Bulletin HPSBTU01093 / SSRT4831
that provides patches for vulnerability identified in CAN-2004-0687.
11/17/2004 - Sun updated Alert ID: 57653 to provide pending patches for Solaris 9.
12/02/2004 - added link to Red Hat Advisory RHSA-2004:537-17 for updated
'openmotif' packages.
12/20/2004 - CIAC Bulletin O-222 has been revised to include new vendor advisory
information:
- SGI #20041202-01-U: fixes released for the "openmotif"
vulnerability.
- Sun Alert ID 57701: multiple fixes released for Solaris, Java
Desktop System (JDS) (See also CIAC Bulletin P-069).
- Red Hat RHSA-2004:610-13: fixes released for XFree86 flaws in
'libXpm".
12/20/2004 - added link to Red Hat RSHA-2004:612 for Xfree86 flaws in 'libXpm' in
Red Hat Desktop v.3 and Enterprise Linux AS, ES, WS v.3.
12/29/2004 - added note that Sun released final patches for Solaris 9 that address
this vulnerability (see Sun Alert ID 57653).
01/14/2005 - added a link to Red Hat RHSA-2005:004-12 for Red Hat Linux Advanced
Workstation 2.1 for the Itanium Processor.
01/19/2005 - added a link to updates available in SGI Security Update #22,
Number 20050102-01-U for SGI ProPack 3 Service Pack 3 for SGI Altix
family of systems.
02/03/2005 - added note that Sun released resolution patches for Solaris 8 that address
this vulnerability (see Sun Alert ID 57653).
05/10/2005 - added note that Sun released resolution patches for Solaris 7 available
in Sun Security Alert ID 57653.
09/21/2005 - revised to add a link to HP Bulletin HPSBTU01228 Rev.1.
05/25/2006 - revised to add a link to HP Bulletin HPSBUX02119 SSRT4848 rev.1

[***** Start US-CERT Vulnerability Note VU#537878 *****]

Vulnerability Note VU#537878

libXpm library contains multiple integer overflow vulnerabilities

Overview

libXpm contains multiple integer overflow vulnerabilities that may allow an attacker to cause a
denial-of-service condition or execute arbitrary code.

I. Description

XPM is a format for encoding and decoding X PixMap images that is used in the X Windows System 11 (X11).
libXpm is a library of functions to manipulate XPM images. Multiple libXpm routines contain integer
overflow vulnerabilities including, but not necessarily limited to the following functions:

* xpmParseColors
* XpmCreateImageFromXpmImage
* CreateXImage
* ParsePixels
* ParseAndPutPixels
* ParsePixels

These issues are the result of insufficient validation of user-supplied data. Consequently, an attacker
may be able to exploit these vulnerabilities by supplying an application using libXpm with a specially
crafted XPM image. Applications that receive input from remote sources may be remotely exploitable.

Any program that uses the libXpm library may be affected by this issue. Users are encouraged to contact
their vendors to determine if they are vulnerable.

II. Impact

Specific impacts depend on the application and libXpm routine being attacked. Potential consequences range
from abrupt and abnormal program termination to the execution of arbitrary code with the privileges of the
compromised program.

III. Solution

Apply a Patch for X11 Version 6.8.0

The x.org Foundation has released a patch to address this issue in 6.8.0 available at:

http://www.x.org/pub/X11R6.8.0/patches/xorg-CAN-2004-0687-0688.patch

Several vendors of relevant or derived implementations have released patches to address this vulnerability;
please contact those vendors for further details.

Upgrade X11

This issue has been fixed in X11 version 6.8.1.

Systems Affected

Vendor Status Date Updated

Apple Computer Inc. Unknown 27-Sep-2004
BSDI Unknown 30-Sep-2004
BSDI Unknown 27-Sep-2004
Connectiva Unknown 27-Sep-2004
Cray Inc. Unknown 27-Sep-2004
Debian Vulnerable 30-Sep-2004
EMC Corporation Unknown 27-Sep-2004
Engarde Unknown 27-Sep-2004
F5 Networks Unknown 27-Sep-2004
FreeBSD Vulnerable 30-Sep-2004
Fujitsu Unknown 27-Sep-2004
Gentoo Unknown 27-Sep-2004
Hewlett-Packard Company Unknown 27-Sep-2004
Hitachi Unknown 30-Sep-2004
IBM Unknown 27-Sep-2004
IBM-zSeries Unknown 27-Sep-2004
IBM eServer Unknown 27-Sep-2004
Immunix Unknown 27-Sep-2004
Ingrian Networks Unknown 27-Sep-2004
Juniper Networks Unknown 27-Sep-2004
MandrakeSoft Unknown 27-Sep-2004
MontaVista Software Unknown 27-Sep-2004
NEC Corporation Unknown 27-Sep-2004
NETBSD Unknown 27-Sep-2004
Nokia Unknown 27-Sep-2004
Novell Unknown 27-Sep-2004
OpenBSD Unknown 27-Sep-2004
Openwall GNU/*/Linux Unknown 27-Sep-2004
Red Hat Inc. Unknown 27-Sep-2004
SCO Unknown 27-Sep-2004
Sequent Unknown 27-Sep-2004
SGI Unknown 27-Sep-2004
Sony Corporation Unknown 27-Sep-2004
Sun Microsystems Inc. Unknown 27-Sep-2004
SuSE Inc. Vulnerable 30-Sep-2004
TurboLinux Unknown 27-Sep-2004
Unisys Unknown 27-Sep-2004
Wind River Systems Inc. Unknown 27-Sep-2004
X Consortium Unknown 20-Sep-2004
X11 Unknown 30-Sep-2004

References

http://scary.beasts.org/security/CESA-2004-003.txt
http://secunia.com/advisories/12549/
http://www.securitytracker.com/alerts/2004/Sep/1011324.html
http://www.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch

Credit

This vulnerability was publicly reported by Chris Evans.

This document was written by Jeffrey Gennari.

Other Information

Date Public 09/16/2004
Date First Published 09/30/2004 02:55:01 PM
Date Last Updated 09/30/2004
CERT Advisory
CVE Name CAN-2004-0687
Metric 2.82
Document Revision 206

[***** End US-CERT Vulnerability Note VU#537878 *****]

CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin.

DOE-CIRC can be contacted at:

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/