Advisories

Mandriva Advisories

Package name	libxpm4
Date	September 15th, 2004
Advisory ID	MDKSA-2004:098
Affected versions	9.2, 10.0, CS2.1
Synopsis	Updated libxpm4 packages fix libXpm overflow vulnerabilities

Problem Description

Chris Evans found several stack and integer overflows in the libXpm code
of X.Org/XFree86 (from which the libxpm code is derived):

Stack overflows (CAN-2004-0687):

Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code
leads to a stack based overflow (parse.c).

Stack overflow reading pixel values in ParseAndPutPixels (create.c) as
well as ParsePixels (parse.c).

Integer Overflows (CAN-2004-0688):

Integer overflow allocating colorTable in xpmParseColors (parse.c) -
probably a crashable but not exploitable offence.

The updated packages have patches from Chris Evans and Matthieu Herrb
to address these vulnerabilities.

Updated Packages

Mandrakelinux 9.2

 8d9a613ad0d381e0da4ea8b455dc81ef  9.2/RPMS/libxpm4-3.4k-27.1.92mdk.i586.rpm
f279c6c59dec9a85bc6d209931b2d9b1  9.2/RPMS/libxpm4-devel-3.4k-27.1.92mdk.i586.rpm
ae0fa1a38affc7cdbef9505db0bb8e79  9.2/SRPMS/xpm-3.4k-27.1.92mdk.src.rpm

Mandrakelinux 9.2/AMD64

 5f074ee2a98ebefedd94ce12c481469d  amd64/9.2/RPMS/lib64xpm4-3.4k-27.1.92mdk.amd64.rpm
dab19b1fdec00205b18a3d0db64ae7ea  amd64/9.2/RPMS/lib64xpm4-devel-3.4k-27.1.92mdk.amd64.rpm
ae0fa1a38affc7cdbef9505db0bb8e79  amd64/9.2/SRPMS/xpm-3.4k-27.1.92mdk.src.rpm

Mandrakelinux 10.0

 b04f06bcbb1d68a0bb5a27a3409ab695  10.0/RPMS/libxpm4-3.4k-27.1.100mdk.i586.rpm
674d40df87b997be5be5b63088cc25f1  10.0/RPMS/libxpm4-devel-3.4k-27.1.100mdk.i586.rpm
6f384448d85afd56100e68608d307536  10.0/SRPMS/xpm-3.4k-27.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64

 6f384448d85afd56100e68608d307536  amd64/10.0/SRPMS/xpm-3.4k-27.1.100mdk.src.rpm
6fed4973b8a0f06a78176b35069d39d3  amd64/10.0/RPMS/lib64xpm4-3.4k-27.1.100mdk.amd64.rpm
72b965c6dbf0d3cdc437405c18c8d658  amd64/10.0/RPMS/lib64xpm4-devel-3.4k-27.1.100mdk.amd64.rpm

Corporate Server 2.1

 09d95b236c8bbe18e64a521c91edecea  corporate/2.1/RPMS/libxpm4-3.4k-21.1.C21mdk.i586.rpm
f95679273cc924ceb8343f5abb637bbf  corporate/2.1/RPMS/libxpm4-devel-3.4k-21.1.C21mdk.i586.rpm
93b631321701b3309cf47ca62f92b2b2  corporate/2.1/SRPMS/xpm-3.4k-21.1.C21mdk.src.rpm

Corporate Server 2.1/X86_64

 a98d3ac4aca9d273aec7d0df7affd389  x86_64/corporate/2.1/RPMS/libxpm4-3.4k-21.1.C21mdk.x86_64.rpm
d6aa250f8bb892ccc48e914085e8472f  x86_64/corporate/2.1/RPMS/libxpm4-devel-3.4k-21.1.C21mdk.x86_64.rpm
93b631321701b3309cf47ca62f92b2b2  x86_64/corporate/2.1/SRPMS/xpm-3.4k-21.1.C21mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

URL:

https://mandriva.com/security/advisories

Short link:

https://mandriva.com/content/view/full/1075

Intersites Menu

Mandriva

Tools

Top menu

Advisories

Footer