129037 – [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187

Secunia discovered imlib2 vulnerability that can be used to execute
arbitrary code within the application that uses this library:
-----
The vulnerability is caused due to a pointer arithmetic error within the
"load()" function provided by the XPM loader. This can be exploited to
cause a heap-based buffer overflow via a specially crafted XPM file.

Successful exploitation may allow execution of arbitrary code.
-----

Fix: The following patch adds the patch from Debian developers. It is supposed
to fix the issue.


The following VuXML entry should be validated and added:
 <vuln vid="">
 <topic>imlib2 -- XPM processing buffer overflow vulnerability</topic>
 <affects>
 <package>
	<name>imlib2</name>
	<name>imlib2-nox11</name>
	<range><lt>1.4.1.000_1,2</lt></range>
 </package>
 </affects>
 <description>
 <body xmlns="http://www.w3.org/1999/xhtml">
	Secunia reports:
	<blockquote cite="http://secunia.com/Advisories/32796">
	A vulnerability has been discovered in imlib2, which can
	be exploited by malicious people to potentially compromise
	an application using the library.
	The vulnerability is caused due to a pointer arithmetic
	error within the "load()" function provided by the XPM
	loader. This can be exploited to cause a heap-based buffer
	overflow via a specially crafted XPM file.
	Successful exploitation may allow execution of arbitrary
	code.
	The vulnerability is confirmed in version 1.4.2. Other
	versions may also be affected.
	</blockquote>
 </body>
 </description>
 <references>
 <cvename>CVE-2008-5187</cvename>
 <url>http://secunia.com/Advisories/32796</url>
 <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15</url>
 <url>http://bugzilla.enlightenment.org/show_bug.cgi?id=547</url>
 </references>
 <dates>
 <discovery>2008-11-20</discovery>
 </dates>
 </vuln>

--- vuln.xml ends here ---
I see that XPM loader is built and installed even for the nox11 version,
so I am including it to the vulnerable port.  imlib-1.9.15 seem to be
unaffected: it has the code in question, but it does memory manipulations
properly.--7AR1l9Ydg8ndHIUGPsPulQ9JfDajIegRcghEzsn7acyVl0OB
Content-Type: text/plain; name="fix-imlib2-1.4.1.000.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="fix-imlib2-1.4.1.000.diff"

diff -urN ./Makefile ../imlib2/Makefile
--- ./Makefile	2008-11-20 20:30:31.000000000 +0300
+++ ../imlib2/Makefile	2008-11-21 08:28:40.000000000 +0300
@@ -7,7 +7,7 @@
 
 PORTNAME=	imlib2
 PORTVERSION=	1.4.1.000
-PORTREVISION=	0
+PORTREVISION=	1
 PORTEPOCH=	2
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.springdaemons.com/pub/snapshots/e17/ \
diff -urN ./files/patch-CVE-2008-5187 ../imlib2/files/patch-CVE-2008-5187
--- ./files/patch-CVE-2008-5187	1970-01-01 03:00:00.000000000 +0300
+++ ../imlib2/files/patch-CVE-2008-5187	2008-11-21 08:24:16.000000000 +0300
@@ -0,0 +1,14 @@
+Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15
+
+--- src/modules/loaders/loader_xpm.c
++++ src/modules/loaders/loader_xpm.c
+@@ -246,8 +246,8 @@
+                                  return 0;
+                               }
+                             ptr = im->data;
+-                            end = ptr + (sizeof(DATA32) * w * h);
+                             pixels = w * h;
++                            end = ptr + pixels;
+                          }
+                        else
+                          {
How-To-Repeat: 
http://secunia.com/Advisories/32796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5187