Debian Bug report logs - #271375
libimlib2: BMP remote heap overflow in imlib2

version graph

Package: libimlib2; Maintainer for libimlib2 is Alessandro Ghedini <ghedo@debian.org>; Source for libimlib2 is src:imlib2 (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@informatik.uni-bremen.de>

Date: Sun, 12 Sep 2004 20:48:05 UTC

Severity: grave

Tags: fixed, patch, security

Found in version 1.1.0-12.3

Done: "Laurence J. Lane" <ljlane@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#271375; Package libimlib2. (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@informatik.uni-bremen.de>:
New Bug report received and forwarded. Copy sent to ljlane@debian.org (Laurence J. Lane). (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@informatik.uni-bremen.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libimlib2: BMP remote heap overflow in imlib2
Date: Sun, 12 Sep 2004 22:43:27 +0200
Package: libimlib2
Version: 1.1.0-12.3
Severity: grave
Tags: security
Justification: user security hole

The infamous BMP remote heap overflow, which is already fixed for
imlib+png is also present in imlib2:

The recently released upstream version 1.1.2 fixes the problem:

> Tue Aug 31 11:46:49 JST 2004
> (Raster)
> 
> Fixed bmp security issue.
> New IFF ILBM loader
> Up to 1.1.2

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro

Versions of packages libimlib2 depends on:
ii  libc6                     2.3.2.ds1-16   GNU C Library: Shared libraries an
ii  libfreetype6              2.1.7-2.2      FreeType 2 font engine, shared lib
ii  libjpeg62                 6b-9           The Independent JPEG Group's JPEG 
ii  libpng12-0                1.2.5.0-7      PNG library - runtime
ii  libtiff4                  3.6.1-1.1      Tag Image File Format library
ii  libungif4g                4.1.3-1        shared library for GIF images (run
ii  libx11-6                  4.3.0.dfsg.1-7 X Window System protocol client li
ii  libxext6                  4.3.0.dfsg.1-7 X Window System miscellaneous exte
ii  xlibs                     4.3.0.dfsg.1-7 X Window System client libraries m
ii  zlib1g                    1:1.2.1.1-7    compression library - runtime

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#271375; Package libimlib2. (full text, mbox, link).

Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane). (full text, mbox, link).

Message #10 received at 271375@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin.pitt@canonical.com>
To: 271375@bugs.debian.org
Subject: Backported patch
Date: Mon, 13 Sep 2004 10:52:28 +0200
[Message part 1 (text/plain, inline)]
tag 271375 patch
thanks

I backported the patch from upstream's 1.1.2 release, you can get it
from

  http://we.give.back.to.debian.no-name-yet.com/patches/imlib2.271375.diff

Thanks,

Martin

-- 
Martin Pitt                 Debian GNU/Linux Developer
martin@piware.de                      mpitt@debian.org
http://www.piware.de             http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Martin Pitt <martin@piware.de> to control@bugs.debian.org. (full text, mbox, link).

Tags added: fixed Request was from sesse@debian.org (Steinar H. Gunderson) to control@bugs.debian.org. (full text, mbox, link).

Reply sent to "Laurence J. Lane" <ljlane@debian.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@informatik.uni-bremen.de>:
Bug acknowledged by developer. (full text, mbox, link).

Message #19 received at 271375-done@bugs.debian.org (full text, mbox, reply):

From: "Laurence J. Lane" <ljlane@debian.org>
To: 271375-done@bugs.debian.org
Subject: closed
Date: Sun, 28 Nov 2004 13:52:13 -0600
closed

Bug unarchived. Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 08:43:58 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 May 2011 07:47:34 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 11 12:05:28 2017; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.