Debian Bug report logs - #298039
xli: Multiple security problems in xli

version graph

Package: xli; Maintainer for xli is Ryan Niebur <ryan@debian.org>; Source for xli is src:xli.

Reported by: Moritz MÃŒhlenhoff <muehlenhoff@univention.de>

Date: Fri, 4 Mar 2005 09:03:01 UTC

Severity: grave

Tags: security

Found in version 1.17.0-16

Fixed in version xli/1.17.0-17

Done: Graham Wilson <graham@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Graham Wilson <graham@debian.org>:
Bug#298039; Package xli. Full text and rfc822 format available.

Acknowledgement sent to Moritz MÃŒhlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to Graham Wilson <graham@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz MÃŒhlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xli: Multiple security problems in xli
Date: Fri, 04 Mar 2005 09:53:13 +0100
Package: xli
Version: 1.17.0-16 (not installed)
Severity: grave
Justification: user security hole

[Cc:ing security, as Woody should be affected as well]

Multiple security problems in xli have been found by the Gentoo Security folks:

1. Shell meta characters are inaccurately escaped in compressed images
2. A buffer overflow in "Faces Project images" parsing allows execution of
   arbitrary code.
3. Insufficient validation of image properties in xli could potentially result
   in buffer management errors (no further information given wrt the impact of
   this vulnerability)

Fixes: All problems have been fixed in the latest xli (which doesn't have
overly many differences to the version in sid):
>Sun Feb 27 15:16:08 PST 2005
>
>Fix a security problem in the faces loader, a security problem when
>opening compressed files, and check for integer overflows in image data
>size calculations.

Note: There does only seem to be a CAN assignment for the faces overflow,
(CAN-2001-0775), not for the remaining issues. Could anyone from the
security team please request one?

Cheers,
         Moritz
-- 
Moritz Muehlenhoff muehlenhoff@univention.de     fon: +49 421 22 232- 0
Development        Linux for Your Business       fax: +49 421 22 232-99
Univention GmbH    http://www.univention.de/   mobil: +49 175 22 999 23

-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro




Information forwarded to debian-bugs-dist@lists.debian.org, Graham Wilson <graham@debian.org>:
Bug#298039; Package xli. Full text and rfc822 format available.

Acknowledgement sent to Graham Wilson <graham@mknod.org>:
Extra info received and forwarded to list. Copy sent to Graham Wilson <graham@debian.org>. Full text and rfc822 format available.

Message #10 received at 298039@bugs.debian.org (full text, mbox):

From: Graham Wilson <graham@mknod.org>
To: Moritz MÃŒhlenhoff <muehlenhoff@univention.de>, 298039@bugs.debian.org
Subject: Re: Bug#298039: xli: Multiple security problems in xli
Date: Fri, 4 Mar 2005 09:33:42 -0600
On Fri, Mar 04, 2005 at 09:53:13AM +0100, Moritz MÃŒhlenhoff wrote:
> Multiple security problems in xli have been found by the Gentoo Security folks:

Actually, one of these at least has been around for some time. But I
just noticed them as well due to the Gentoo security announcement.

One I test the fixes, I'll upload a new version.

-- 
gram



Tags added: security Request was from graham@mknod.org (Graham Wilson) to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from graham@mknod.org (Graham Wilson) to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Graham Wilson <graham@debian.org>:
Bug#298039; Package xli. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Graham Wilson <graham@debian.org>. Full text and rfc822 format available.

Message #19 received at 298039@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 298039@bugs.debian.org
Subject: this bug is overdue..
Date: Wed, 16 Mar 2005 18:28:42 -0500
[Message part 1 (text/plain, inline)]
This bug has been marked pending for 8 days. I hope an upload can be
made soon. 

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Graham Wilson <graham@debian.org>:
Bug#298039; Package xli. Full text and rfc822 format available.

Acknowledgement sent to Graham Wilson <graham@mknod.org>:
Extra info received and forwarded to list. Copy sent to Graham Wilson <graham@debian.org>. Full text and rfc822 format available.

Message #24 received at 298039@bugs.debian.org (full text, mbox):

From: Graham Wilson <graham@mknod.org>
To: Joey Hess <joeyh@debian.org>, 298039@bugs.debian.org
Subject: Re: Bug#298039: this bug is overdue..
Date: Wed, 16 Mar 2005 18:01:52 -0600
On Wed, Mar 16, 2005 at 06:28:42PM -0500, Joey Hess wrote:
> This bug has been marked pending for 8 days. I hope an upload can be
> made soon. 

I've been waiting on the security team to do an upload for stable.
However, you are correct. I'll upload the fixed version for unstable
this evening.

-- 
gram



Reply sent to Graham Wilson <graham@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz MÃŒhlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 298039-close@bugs.debian.org (full text, mbox):

From: Graham Wilson <graham@debian.org>
To: 298039-close@bugs.debian.org
Subject: Bug#298039: fixed in xli 1.17.0-17
Date: Wed, 16 Mar 2005 21:47:30 -0500
Source: xli
Source-Version: 1.17.0-17

We believe that the bug you reported is fixed in the latest version of
xli, which is due to be installed in the Debian FTP archive:

xli_1.17.0-17.diff.gz
  to pool/main/x/xli/xli_1.17.0-17.diff.gz
xli_1.17.0-17.dsc
  to pool/main/x/xli/xli_1.17.0-17.dsc
xli_1.17.0-17_powerpc.deb
  to pool/main/x/xli/xli_1.17.0-17_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 298039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Graham Wilson <graham@debian.org> (supplier of updated xli package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 08 Mar 2005 06:04:31 +0000
Source: xli
Binary: xli
Architecture: source powerpc
Version: 1.17.0-17
Distribution: unstable
Urgency: high
Maintainer: Graham Wilson <graham@debian.org>
Changed-By: Graham Wilson <graham@debian.org>
Description: 
 xli        - view images under X11
Closes: 298039
Changes: 
 xli (1.17.0-17) unstable; urgency=high
 .
   * Fix some old and new security bugs. (closes: #298039)
 .
   * In face.c, use strncat instead of strcat, which won't overflow the image
     name buffer in case the first and last names are too long. Addresses
     CAN-2001-0775.
 .
   * In new.c, check that new*Image functions don't overflow when determining
     how much memory to allocate for images.
 .
   * Use upstream's code to avoid an overflow in buildIndex, rather than the
     code I wrote to fix #274310.
Files: 
 10f275b748124f5edd3ce8afe84c43f3 914 graphics optional xli_1.17.0-17.dsc
 fdea256ca3de8a54f23cba8bce0d29da 19199 graphics optional xli_1.17.0-17.diff.gz
 dd51c76c38b0a493d8c35ad9c3d23b39 152512 graphics optional xli_1.17.0-17_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iQEVAwUBQjjtsC6fnYH5E4SWAQLd1AgAg1Ne3eXu1Fnk9MojDPAgGSmcGkKw5EuZ
vT+luO9g+mdr8Kg2R/meZuzmnhdk0+r33gIr9NPthH3Eu/OYDyL42Zcu91kw6TA2
WHtqcoQFU1YVl/CONSaGR8DNtNc88dxvU+dm9KKozKIcLKFnMZgkYL0kc9oFJ0il
qi1KbpZQ35DaSy2zwJQ9AkAT50h+FJHngz1INMnytDHkIqnDrGvFS8HXU6XE7zvi
yfOSRN3UJoOkXDTvfc3tbcKTtIlAjLg3T2dxcGs6XQNTpBI7jKZUeAPFLBguoYHO
d7DR2+2EpvQ565jsVk8yeMmnpkZtnoQYr7vZsMcyt5hYUuuURER8nw==
=szIM
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Graham Wilson <graham@debian.org>:
Bug#298039; Package xli. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Graham Wilson <graham@debian.org>. Full text and rfc822 format available.

Message #34 received at 298039@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 298039@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Fixes
Date: Fri, 18 Mar 2005 13:01:42 +0100
[Message part 1 (text/plain, inline)]
Attached please find the patches we're using for the update of the
package in woody.

Please
 . update the package in sid
 . mention the corresponding CVE ids in the changelog
 . tell me the version number of the fixed package
 . use priority=high
 . no need to upload into sarge directly, except if the version in
   sid is not meant to go into testing

Regards,

	Joey

-- 
The only stupid question is the unasked one.

Please always Cc to me when replying to me on the lists.
[patch.CAN-2001-0775.xli (text/plain, attachment)]
[patch.CAN-2005-0638.xli (text/plain, attachment)]
[patch.CAN-2005-0639.xli (text/plain, attachment)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:44:52 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.