Debian Bug report logs - #332524
xloadimage: Exploitable buffer overflow in NIFF loading code

version graph

Package: xloadimage; Maintainer for xloadimage is Dominik George <nik@naturalnet.de>; Source for xloadimage is src:xloadimage.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 6 Oct 2005 22:18:04 UTC

Severity: grave

Tags: security

Fixed in version xloadimage/4.1-15

Done: James Troup <james@nocrew.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, James Troup <james@nocrew.org>:
Bug#332524; Package xloadimage. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xloadimage: Exploitable buffer overflow in NIFF loading code
Date: Fri, 07 Oct 2005 00:07:48 +0200
Package: xloadimage
Severity: grave
Tags: security
Justification: user security hole

A report about several buffer overflows in the xloadimage code for
processing NIFF images has been posted to Bugtraq. Please see
http://msgs.securepoint.com/cgi-bin/get/bugtraq0510/57.html
for details and a demo exploit.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#332524; Package xloadimage. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #10 received at 332524@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 332524@bugs.debian.org
Subject: Exploits attached
Date: Fri, 7 Oct 2005 00:57:00 +0200
[Message part 1 (text/plain, inline)]
The demonstation exploits are stripped off in the Bugtraq archives,
I've attached them.

Cheers,
        Moritz
[large.niff.bz2 (application/octet-stream, attachment)]
[small.niff.bz2 (application/octet-stream, attachment)]

Reply sent to James Troup <james@nocrew.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 332524-close@bugs.debian.org (full text, mbox):

From: James Troup <james@nocrew.org>
To: 332524-close@bugs.debian.org
Subject: Bug#332524: fixed in xloadimage 4.1-15
Date: Sat, 08 Oct 2005 07:32:05 -0700
Source: xloadimage
Source-Version: 4.1-15

We believe that the bug you reported is fixed in the latest version of
xloadimage, which is due to be installed in the Debian FTP archive:

xloadimage_4.1-15.diff.gz
  to pool/main/x/xloadimage/xloadimage_4.1-15.diff.gz
xloadimage_4.1-15.dsc
  to pool/main/x/xloadimage/xloadimage_4.1-15.dsc
xloadimage_4.1-15_i386.deb
  to pool/main/x/xloadimage/xloadimage_4.1-15_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 332524@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Troup <james@nocrew.org> (supplier of updated xloadimage package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  8 Oct 2005 04:22:14 +0100
Source: xloadimage
Binary: xloadimage
Architecture: source i386
Version: 4.1-15
Distribution: unstable
Urgency: high
Maintainer: James Troup <james@nocrew.org>
Changed-By: James Troup <james@nocrew.org>
Description: 
 xloadimage - Graphics file viewer under X11
Closes: 332524
Changes: 
 xloadimage (4.1-15) unstable; urgency=HIGH
 .
   * 17_security-sprintf.dpatch: new patch to fix unsafe sprintf usage.
     Reported by Ariel Berkman <aberkm1@uic.edu>.  Closes: #332524
 .
   * Merge NMU changes from Joey Hess and dpatch-ify.
Files: 
 9d5a8e1a5c800fb0923b70d36579b826 1247 graphics optional xloadimage_4.1-15.dsc
 546f446c617456d1a0187be57fe09ec6 67508 graphics optional xloadimage_4.1-15.diff.gz
 0f665ac13f55da09802364a9f6142833 113474 graphics optional xloadimage_4.1-15_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQIUAwUBQ0c8C9fD8TGrKpH1AQIBng/4iMyuvlCG1GcC1+wFpJOB00Br1XcLSDrw
9eaVb+rfs2XfKVW4zL5esY3QpO1u9XHb9izENJU2yV7a9DcPKn542prfCC+4S+rP
JP4cuPktY/+p/OjDskOh9r9FT/5Ress2b+EJOKHuZMyrDkv8CLTN3TXBkp46W3Eq
MtJzbqVX2lrnSCTINVy37HJM32f8qn/3Hg9wXVkqHt7DS51or/dpUyWXnoHvbqYw
NPTnib8x3Hdvqfnwx3CYba9Bwwc1qSiHQNOtU0o826SXL2G6FDfhFsP4eBxH1EmV
RfBzVR5pRkpJFf71Grb363FCI5z/7t8LAXLYk6F4oUg2FnTccyw246G3mZZ1QprN
ZEHPXEc0267P77/pg6M6IbLsUqjwJhl9kxxQ8OQt7AAfQ9lz4HKIo7XsuuOcOiU1
1EXDbdQbBONzYfKV0SkRjTL1rIbL8dAcEfeIjzmdWktjgsF78+wzv8XVr5IIH14Y
F85WPg35Ftw1XVHwi814aB29Xd0HNOpa0kYtop1xx60HsfaeQ37FlljgZhsRq8SZ
iecI8Vpv9TUqyki/HyM0gyz9Ab03BQNvxmJrYyRKxNKbX/PpAY+OzYQrF64zgK36
0gUWK/Ap1hbi/Ui8ZsLphxrMsO64COP5OQpdsOHC0C8OVo8Bh8DNCUbWrMDHwj1Q
1kbnVJ7+mA==
=NARo
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#332524; Package xloadimage. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #20 received at 332524@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 332524@bugs.debian.org
Subject: CVE name
Date: Sat, 8 Oct 2005 21:40:52 +0200
======================================================
Candidate: CAN-2005-3178
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3178
Reference: BUGTRAQ:20051005 xloadimage buffer overflow.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&w=2

Buffer overflow in xloadimage 4.1 and earlier might allow
user-complicit attackers to execute arbitrary code via (1) a long
title name in a NIFF file, which triggers the overflow during (1)
zoom, (2) reduce, or (3) rotate operations.

-- 
The only stupid question is the unasked one.

Please always Cc to me when replying to me on the lists.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 22:33:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 20:48:02 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.