Security Fix for XPM library

Contributed by grey on 2004-09-16 from the I don't have anything witty to say at the moment dept.

Thanks to Brad Smith for pointing out a security fix available for download here for 3.5 and here for 3.4. A description is as follows:

Chris Evans reported several flaws (stack and integer overflows) in the Xpm library code that parses image files (CAN-2004-0687, CAN-2004-0688). Some of these would be exploitable when parsing malicious image files in an application that handles XPM images, if they could escape ProPolice.

As always, be sure to check http://www.openbsd.org/errata.html for additional information regarding security and reliability fixes.

(Comments are closed)

Comments

By Anonymous Coward (64.122.103.201) on 2004-09-16 23:44

Looks like we've got a bunch of issues with pictures libraries lately, png, xpm, etc.

Is anyone auditing other pictures libraries, i.e. gif, jpeg, tiff or even any kind of streaming library, mp3, mpeg that could produce similar results... atm?

This seems to be an interesting vulnerability that bypasses propolice.
Comments
1. By Leon Yendor (218.214.194.113) on 2004-09-17 03:58
  
  The original said ", if they could escape ProPolice." not when they escape ProPolice. You know that they can escape? It didn't sound likely to me, just a precautionary warning.
  Comments
  1. By Anonymous Coward (192.195.135.35) on 2004-09-17 12:03
    
    It means: "Noone has proven that it can break out of ProPolice. On the other hand, we haven't proven that it can't, so we'll assume that it can".
    
    Comments
    
    By Anonymous Coward (203.217.30.86) on 2004-09-17 23:12
    
    an attacker would still have to contend with W^X, library randomisations, etc. Given the nature of the attack (get your victim to load a bogus image), it would be very, very difficult for an attacker to sucessfully exploit it.
2. By Anonymous Coward (24.46.36.183) on 2004-09-17 14:05
  
  I wonder if this is related to the increase in image based spam?
  Comments
  1. By Anonymous Coward (195.217.242.33) on 2004-09-17 15:08
    
    I would have thought that would have more to do with the fact that most of those images are based on a server somewhere, and the URL is specific to that email.
    
    By looking at it and fetching the images, you basically let them know that your account is live.
    
    Alternatively it might be just a way of by-passing your spam filters.
  2. By Anonymous Coward (64.122.103.201) on 2004-09-17 17:18
    
    No, image spam is done to bypass anti-spam solutions which do not have an ocr or any way to check pictures.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]