__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN "imlib" and "imlib2" Packages Vulnerability [Red Hat Advisory RHSA-2004:465-08] September 15, 2004 21:00 GMT Number O-215 [REVISED 16 Sep 2004] [REVISED 20 Sep 2004] [REVISED 22 Sep 2004] [REVISED 26 Oct 2005] ______________________________________________________________________________ PROBLEM: A vulnerability exists in the imlib and imlib2 packages. These are image loading and rendering libraries. PLATFORM: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v.2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.0 (woody) SOFTWARE: Sun Java Desktop System (JDS) 2003 Sun Java Desktop System (JDS) Release 2 DAMAGE: An attacker could create a carefully crafted BMP file such that it could cause an application linked with imlib to execute arbitrary code when the file is opened. SOLUTION: Install the updated packages. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote intruder could get root access if ASSESSMENT: they can convince users to open a bmp file and the user is logged on as root. This is only a problem if you use imlib to render images. Imlib is installed by default in Red Hat 9. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-215.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-465.html ADDITIONAL LINKS: Debian Security Advisory DSA-548-2 (imlib) http://www.debian.org/security/2004/dsa-548 Debian Security Advisory DSA-552-1 (imlib2) http://www.debian.org/security/2004/dsa-5552 Sun Alert ID: 57645 http://sunsolve.sun.com/search/document.do?assetkey= 1-26-57645-1&searchclause=security CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0817 ______________________________________________________________________________ REVISION HISTORY: 09/16/04 - added a link to Debian Security Advisory DSA-548-1 that provides updated packages for "imlib". 09/20/04 - added a link to Sun's Alert ID#: 57645. 09/22/04 - changed title of bulletin to add the "imlib2" package 09/22/04 - added a link to Debian Security Advisory DSA-552-1 that provides updated packages for "imlib2". 10/26/05 - revised to modify the link to Debian Security Advisory DSA-548-2 for "imlib2" vulnerabilities. See Additional Links section for link to this advisory. [***** Start Red Hat Advisory RHSA-2004:465-08 *****] Updated imlib package fixes security vulnerability Advisory: RHSA-2004:465-08 Last updated on: 2004-09-15 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2004-0817 Security Advisory Details: An updated imlib package that fixes several heap overflows is now available. Imlib is an image loading and rendering library. Several heap overflow flaws were found in the imlib BMP image handler. An attacker could create a carefully crafted BMP file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0817 to this issue. Users of imlib should update to this updated package which contains backported patches and is not vulnerable to this issue. Updated packages: Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- AMD64: imlib-1.9.13-13.3.x86_64.rpm a541f53f7ae3b301598828d05014b46e imlib-devel-1.9.13-13.3.x86_64.rpm ab80ef08fb5a847a729c8d69640c8366 SRPMS: imlib-1.9.13-13.3.src.rpm 6b77190f47b54d9c4c8bfc59cb5c9a97 i386: imlib-1.9.13-13.3.i386.rpm ead45a05f882e533d8967caad278a3ff imlib-devel-1.9.13-13.3.i386.rpm fb55305b96a608e4a59d734f0c933505 Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: imlib-1.9.13-4.2.src.rpm 70350a36d0e898640bf0370f74d26329 i386: imlib-1.9.13-4.2.i386.rpm 977d25ef2ed5d80a3d752bcc309dcea3 imlib-cfgeditor-1.9.13-4.2.i386.rpm 4ca29312814b0c29e87acb6c1eba4f31 imlib-devel-1.9.13-4.2.i386.rpm ab03d718bd43a82cd4fa77118915ca7b ia64: imlib-1.9.13-4.2.ia64.rpm ca8f753c817cbe0bf24ac0ac2b03bccc imlib-cfgeditor-1.9.13-4.2.ia64.rpm 11060c4560ee42e3e9e0e482a88189c2 imlib-devel-1.9.13-4.2.ia64.rpm 11e6bd0ee4caca73cbc0ddc80bf1d793 Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- AMD64: imlib-1.9.13-13.3.x86_64.rpm a541f53f7ae3b301598828d05014b46e imlib-devel-1.9.13-13.3.x86_64.rpm ab80ef08fb5a847a729c8d69640c8366 SRPMS: imlib-1.9.13-13.3.src.rpm 6b77190f47b54d9c4c8bfc59cb5c9a97 i386: imlib-1.9.13-13.3.i386.rpm ead45a05f882e533d8967caad278a3ff imlib-devel-1.9.13-13.3.i386.rpm fb55305b96a608e4a59d734f0c933505 ia64: imlib-1.9.13-13.3.ia64.rpm 9444828842659c3bec047cc18d2528ee imlib-devel-1.9.13-13.3.ia64.rpm c559153e239abff5269e41c30233ca05 ppc: imlib-1.9.13-13.3.ppc.rpm 3d5eae85598168b6e337a0689eb2d743 imlib-devel-1.9.13-13.3.ppc.rpm c9bd4375d8e077fcc70a638804d16b65 s390: imlib-1.9.13-13.3.s390.rpm 17404e9fdddd26a89d81df23e3aae7db imlib-devel-1.9.13-13.3.s390.rpm 5a3c49f094187deb72b9c522fedd5724 s390x: imlib-1.9.13-13.3.s390x.rpm 81d3bbb3472454bd14c748c60c219d2b imlib-devel-1.9.13-13.3.s390x.rpm 7e6739f7b72993dadbc4a489898c83c1 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: imlib-1.9.13-4.2.src.rpm 70350a36d0e898640bf0370f74d26329 i386: imlib-1.9.13-4.2.i386.rpm 977d25ef2ed5d80a3d752bcc309dcea3 imlib-cfgeditor-1.9.13-4.2.i386.rpm 4ca29312814b0c29e87acb6c1eba4f31 imlib-devel-1.9.13-4.2.i386.rpm ab03d718bd43a82cd4fa77118915ca7b Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- AMD64: imlib-1.9.13-13.3.x86_64.rpm a541f53f7ae3b301598828d05014b46e imlib-devel-1.9.13-13.3.x86_64.rpm ab80ef08fb5a847a729c8d69640c8366 SRPMS: imlib-1.9.13-13.3.src.rpm 6b77190f47b54d9c4c8bfc59cb5c9a97 i386: imlib-1.9.13-13.3.i386.rpm ead45a05f882e533d8967caad278a3ff imlib-devel-1.9.13-13.3.i386.rpm fb55305b96a608e4a59d734f0c933505 ia64: imlib-1.9.13-13.3.ia64.rpm 9444828842659c3bec047cc18d2528ee imlib-devel-1.9.13-13.3.ia64.rpm c559153e239abff5269e41c30233ca05 Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: imlib-1.9.13-4.2.src.rpm 70350a36d0e898640bf0370f74d26329 i386: imlib-1.9.13-4.2.i386.rpm 977d25ef2ed5d80a3d752bcc309dcea3 imlib-cfgeditor-1.9.13-4.2.i386.rpm 4ca29312814b0c29e87acb6c1eba4f31 imlib-devel-1.9.13-4.2.i386.rpm ab03d718bd43a82cd4fa77118915ca7b Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- AMD64: imlib-1.9.13-13.3.x86_64.rpm a541f53f7ae3b301598828d05014b46e imlib-devel-1.9.13-13.3.x86_64.rpm ab80ef08fb5a847a729c8d69640c8366 SRPMS: imlib-1.9.13-13.3.src.rpm 6b77190f47b54d9c4c8bfc59cb5c9a97 i386: imlib-1.9.13-13.3.i386.rpm ead45a05f882e533d8967caad278a3ff imlib-devel-1.9.13-13.3.i386.rpm fb55305b96a608e4a59d734f0c933505 ia64: imlib-1.9.13-13.3.ia64.rpm 9444828842659c3bec047cc18d2528ee imlib-devel-1.9.13-13.3.ia64.rpm c559153e239abff5269e41c30233ca05 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: imlib-1.9.13-4.2.src.rpm 70350a36d0e898640bf0370f74d26329 ia64: imlib-1.9.13-4.2.ia64.rpm ca8f753c817cbe0bf24ac0ac2b03bccc imlib-cfgeditor-1.9.13-4.2.ia64.rpm 11060c4560ee42e3e9e0e482a88189c2 imlib-devel-1.9.13-4.2.ia64.rpm 11e6bd0ee4caca73cbc0ddc80bf1d793 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 130909 - CAN-2004-0817 heap overflow in BMP decoder References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0817 http://bugzilla.gnome.org/show_bug.cgi?id=151034 [***** End Red Hat Advisory RHSA-2004:465-08 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-205: Adobe Acrobat Reader Uuencoding Buffer Overflow O-206: Entrust LibKmp Library Vulnerabilities O-207: Cisco IOS Telnet Denial of Service Vulnerability O-208: Kerberos krb5 Vulnerabilities O-209: Oracle Database Server Vulnerabilities O-210: LHA Packages Buffer Overflow Vulnerability O-211: Potential Buffer Overflows in WinZip O-212: Apple Security Update O-213: Windows Buffer Overrun in JPEG Processing Could Allow Code Execution O-214: Windows Vulnerability in WordPerfect Converter Could Allow Code Execution