Home > Security > Advisories


Mandriva Advisories

Package name xloadimage
Date September 12th, 2001
Advisory ID MDKSA-2001:073-1
Affected versions 7.1, 7.2, 8.0, CS1.0
Synopsis Updated xloadimage packages fix boundary check vulnerability

Problem Description

A buffer overflow exists in xli due to missing boundary checks. This
could be triggered by an external attacker to execute commands on the
victim's machine. An exploit is publically available. xli is an image
viewer that is used by Netscape's plugger to display TIFF, PNG, and
Sun-Raster images.


The xloadimage package uses the same code as xli and is likewise
vulnerable. An update is provided for xloadimage which was only
provided with Linux-Mandrake 7.2.

Updated Packages

Mandrakelinux 7.1

 994bc689c7ab60fac976816abfa71a8e  7.1/RPMS/xli-1.16-4.1mdk.i586.rpm
32eebf37c2562a088409a31b363555c4  7.1/SRPMS/xli-1.16-4.1mdk.src.rpm

Mandrakelinux 7.2

 2a4a20ba543f917b41ec8b92bda3107a  7.2/RPMS/xli-1.16-7.1mdk.i586.rpm
2f3464a4fcee7a3215de4a765e5fd328  7.2/RPMS/xloadimage-4.1-6.1mdk.i586.rpm
3cf0768d88055b81011b9d56224f3858  7.2/SRPMS/xli-1.16-7.1mdk.src.rpm
61c138ea07acbe91d5c466d70493bea2  7.2/SRPMS/xloadimage-4.1-6.1mdk.src.rpm

Mandrakelinux 8.0

 f1eff4c239eaebb0ff41f169de8ccd3e  8.0/RPMS/xli-1.17.0-1.1mdk.i586.rpm
b3aa5d5d8598e02c8bff9132dd312e06  8.0/SRPMS/xli-1.17.0-1.1mdk.src.rpm

Mandrakelinux 8.0/PPC

 ae86f1d74de0a0b6fa15b699530a1c6d  ppc/8.0/RPMS/xli-1.17.0-1.1mdk.ppc.rpm
4608ff87dc4de7b0686ceb3a0a67b8dc  ppc/8.0/SRPMS/xli-1.17.0-1.1mdk.src.rpm

Corporate Server 1.0.1

 994bc689c7ab60fac976816abfa71a8e  1.0.1/RPMS/xli-1.16-4.1mdk.i586.rpm
32eebf37c2562a088409a31b363555c4  1.0.1/SRPMS/xli-1.16-4.1mdk.src.rpm


To upgrade automatically, use MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.