Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c, (2) ParseAndPutPixels in create.c, and (3) ParsePixels in parse.c for libXpm before 6.8.1 allow remote attackers to execute arbitrary code via a malformed XPM image file.

Red Hat Network Satellite Server version 4.2.3 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components.

This update has been rated as having low security impact by the Red Hat Security Response Team.

This release corrects several security vulnerabilities in various components shipped as part of the Red Hat Network Satellite Server 4.2. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments.

Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting, denial-of-service, or information disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197, CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388)

A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349)

A denial-of-service flaw was fixed in the jabberd server.
(CVE-2006-1329)

Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306)

Multiple flaws were fixed in the IBM Java 1.4.2 Runtime.
(CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789)

Multiple flaws were fixed in the OpenMotif package. (CVE-2004-0687, CVE-2004-0688, CVE-2004-0914, CVE-2005-3964, CVE-2005-0605)

A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898)

Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128, CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355, CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195, CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510)

Users of Red Hat Network Satellite Server 4.2 are advised to upgrade to 4.2.3, which resolves these issues.

This update fixes following security problems in OpenMotif :

  - Several stack overflows in the libXPM image handling     library contained within OpenMotif were fixed.
    (CVE-2004-0687)

  - Several integer overflow problems in the libXPM image     handling library contained within OpenMotif were fixed.
    (CVE-2004-0688)

s700_800 11.23 X/Motif Runtime Periodic Patch : 

Potential security vulnerabilities have been identified with Motif applications running on HP-UX. The potential vulnerabilities could be exploited to allow remote execution of arbitrary code or Denial for Service (DoS). References: CERT VU#537878, VU#882750.

s700_800 11.11 X/Motif Runtime Periodic Patch : 

Potential security vulnerabilities have been identified with Motif applications running on HP-UX. The potential vulnerabilities could be exploited to allow remote execution of arbitrary code or Denial for Service (DoS). References: CERT VU#537878, VU#882750.

s700_800 11.00 X/Motif 32bit Runtime Periodic Patch : 

Potential security vulnerabilities have been identified with Motif applications running on HP-UX. The potential vulnerabilities could be exploited to allow remote execution of arbitrary code or Denial for Service (DoS). References: CERT VU#537878, VU#882750.

Chris Evans discovered several stack overflows in the versions of libXpm shipped by X.Org, XFree86, and LessTif. These overflows were fixed in the Warty development tree before its release. Mathieu Herrb of OpenBSD subsequently discovered that the original patch was insufficient to address these overflows, and thus the version of libxpm4 shipped with Warty is still vulnerable to the original overflows.

These overflows do not allow privilege escalation through the X server; the overflows are in a client-side library, allowing arbitrary code execution with the privileges of the user viewing a malicious pixmap.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Chris Evans discovered several vulnerabilities in the libXpm image decoder :

- A stack-based buffer overflow in xpmParseColors

- An integer overflow in xpmParseColors

- A stack-based buffer overflow in ParsePixels and ParseAndPutPixels

The X11R6.8.1 release announcement reads :

This version is purely a security release, addressing multiple integer and stack overflows in libXpm, the X Pixmap library; all known versions of X (both XFree86 and X.Org) are affected, so all users of X are strongly encouraged to upgrade.

Trevor Johnson reported that the Red Hat Linux RPMs used by linux_base contained multiple older vulnerabilities, such as a DNS resolver issue and critical bugs in X font handling and XPM image handling.

The remote host is missing Security Update 2005-005. This security
update contains security fixes for the following application :

- Apache
- AppKit
- AppleScript
- Bluetooth
- Directory Services
- Finder
- Foundation
- HelpViewer
- LDAP
- libXpm
- lukemftpd
- NetInfo
- ServerAdmin
- sudo
- Terminal
- VPN 

The remote host is missing Security Update 2005-005. This security update contains fixes for the following applications :

  - Apache
  - AppKit
  - AppleScript
  - Bluetooth
  - Directory Services
  - Finder
  - Foundation
  - HelpViewer
  - LDAP
  - libXpm
  - lukemftpd
  - NetInfo
  - ServerAdmin
  - sudo
  - Terminal
  - VPN

These programs have multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.

The remote host is affected by the vulnerability described in GLSA-200502-07 (OpenMotif: Multiple vulnerabilities in libXpm)

    Multiple vulnerabilities, such as buffer overflows, out of bounds     memory access or directory traversals, have been discovered in libXpm     that is shipped as a part of the X Window System (see GLSA 200409-34     and 200411-28). OpenMotif, an application that includes this library,     suffers from the same issues.
  Impact :

    A carefully-crafted XPM file could crash applications making use of the     OpenMotif toolkit, potentially allowing the execution of arbitrary code     with the privileges of the user running the application.
  Workaround :

    There is no known workaround at this time.

An updated lesstif package that fixes flaws in the Xpm library is now available for Red Hat Enterprise Linux 2.1.

LessTif provides libraries which implement the Motif industry standard graphical user interface.

During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the libXpm library used to decode XPM (X PixMap) images. A vulnerable version of this library was found within Lesstif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687,CVE-2004-0688, and CVE-2004-0914 to these issues.

Users of LessTif are advised to upgrade to this erratum package, which contains backported security patches to the embedded libXpm library.

Updated openmotif packages that fix flaws in the Xpm image library are now available.

OpenMotif provides libraries which implement the Motif industry standard graphical user interface.

During a source code audit, Chris Evans and others discovered several stack overflow flaws and an integer overflow flaw in the libXpm library used to decode XPM (X PixMap) images. A vulnerable version of this library was found within OpenMotif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to these issues.

Users of OpenMotif are advised to upgrade to these erratum packages, which contain backported security patches to the embedded libXpm library.

Chris Evans discovered several stack and integer overflows in the libXpm library which is provided by X.Org, XFree86 and LessTif.

Chris Evans discovered several stack and integer overflows in the libXpm library which is included in LessTif.

Chris Evans found several stack and integer overflows in the libXpm code of X.Org/XFree86 :

Stack overflows (CVE-2004-0687) :

Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code leads to a stack based overflow (parse.c).

Stack overflow reading pixel values in ParseAndPutPixels (create.c) as well as ParsePixels (parse.c).

Integer Overflows (CVE-2004-0688) :

Integer overflow allocating colorTable in xpmParseColors (parse.c) - probably a crashable but not exploitable offence.

Additionally, the xorg-x11 packages have been patched with a backport from cvs to resolve a failure running the lsb-test-vsw4 test suite, which will soon be required for LSB2.0 compliance.

The updated packages have patches from Chris Evans and Matthieu Herrb to address these vulnerabilities.

The remote host is affected by the vulnerability described in GLSA-200410-09 (LessTif: Integer and stack overflows in libXpm)

    Chris Evans has discovered various integer and stack overflows in libXpm,     which is shipped as a part of the X Window System. LessTif, an application     that includes this library, is susceptible to the same issues.
  Impact :

    A carefully-crafted XPM file could crash applications that are linked     against libXpm, such as LessTif, potentially allowing the execution of     arbitrary code with the privileges of the user running the application.
  Workaround :

    There is no known workaround at this time.

Updated XFree86 packages that fix several security issues in libXpm, as well as other bug fixes, are now available for Red Hat Enterprise Linux 2.1.

XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon.

During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the X.Org libXpm library used to decode XPM (X PixMap) images. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0692 to these issues.

These packages also contain a bug fix to lower the RGB output voltage on Dell servers using the ATI Radeon 7000m card.

Users are advised to upgrade to these erratum packages which contain backported patches to correct these issues.

Updated XFree86 packages that fix several security flaws in libXpm, as well as other bugs, are now available for Red Hat Enterprise Linux 3.

XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon.

During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the X.Org libXpm library used to decode XPM (X PixMap) images. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0692 to these issues.

A flaw was found in the X Display Manager (XDM). XDM is shipped with Red Hat Enterprise Linux, but is not used by default. XDM opened a chooserFd TCP socket even if the DisplayManager.requestPort parameter was set to 0. This allowed authorized users to access a machine remotely via X, even if the administrator had configured XDM to refuse such connections. Although XFree86 4.3.0 was not vulnerable to this issue, Red Hat Enterprise Linux 3 contained a backported patch which introduced this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0419 to this issue.

Users are advised to upgrade to these erratum packages, which contain backported security patches to correct these and a number of other issues.

The remote host is affected by the vulnerability described in GLSA-200409-34 (X.org, XFree86: Integer and stack overflows in libXpm)

    Chris Evans has discovered multiple integer and stack overflow     vulnerabilities in the X Pixmap library, libXpm, which is a part of the     X Window System. These overflows can be exploited by the execution of a     malicious XPM file, which can crash applications that are dependent on     libXpm.
  Impact :

    A carefully-crafted XPM file could crash applications that are linked     against libXpm, potentially allowing the execution of arbitrary code     with the privileges of the user running the application.
  Workaround :

    There is no known workaround at this time.

The remote host is missing the patch for the advisory SUSE-SA:2004:034 (XFree86-libs, xshared).


Chris Evans reported three vulnerabilities in libXpm which can be exploited remotely by providing malformed XPM image files.
The function xpmParseColors() is vulnerable to an integer overflow and a stack-based buffer overflow. The functions ParseAndPutPixels() as well as ParsePixels() is vulnerable to a stack-based buffer overflow too.
Additionally Matthieu Herrb found two one-byte buffer overflows.

Chris Evans found several stack and integer overflows in the libXpm code of X.Org/XFree86 :

Stack overflows (CVE-2004-0687) :

Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code leads to a stack based overflow (parse.c).

Stack overflow reading pixel values in ParseAndPutPixels (create.c) as well as ParsePixels (parse.c).

Integer Overflows (CVE-2004-0688) :

Integer overflow allocating colorTable in xpmParseColors (parse.c) - probably a crashable but not exploitable offence.

The updated packages have patches from Chris Evans and Matthieu Herrb to address these vulnerabilities.

Chris Evans found several stack and integer overflows in the libXpm code of X.Org/XFree86 (from which the libxpm code is derived) :

Stack overflows (CVE-2004-0687) :

Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code leads to a stack based overflow (parse.c).

Stack overflow reading pixel values in ParseAndPutPixels (create.c) as well as ParsePixels (parse.c).

Integer Overflows (CVE-2004-0688) :

Integer overflow allocating colorTable in xpmParseColors (parse.c) - probably a crashable but not exploitable offence.

The updated packages have patches from Chris Evans and Matthieu Herrb to address these vulnerabilities.

ID	Name	Product	Family	Severity
43837	RHEL 3 / 4 : Satellite Server (RHSA-2008:0524)	Nessus	Red Hat Local Security Checks	critical
41332	SuSE9 Security Update : openmotif (YOU Patch Number 9399)	Nessus	SuSE Local Security Checks	high
21658	HP-UX PHSS_33132 : HP-UX Running Motif Applications Remote Arbitrary Code Execution, Denial of Service (DoS) (HPSBUX02119 SSRT4848 rev.1)	Nessus	HP-UX Local Security Checks	high
21657	HP-UX PHSS_33130 : HP-UX Running Motif Applications Remote Arbitrary Code Execution, Denial of Service (DoS) (HPSBUX02119 SSRT4848 rev.1)	Nessus	HP-UX Local Security Checks	high
21656	HP-UX PHSS_33129 : HP-UX Running Motif Applications Remote Arbitrary Code Execution, Denial of Service (DoS) (HPSBUX02119 SSRT4848 rev.1)	Nessus	HP-UX Local Security Checks	high
20642	Ubuntu 4.10 : libxpm4 vulnerability (USN-27-1)	Nessus	Ubuntu Local Security Checks	high
19161	FreeBSD : xpm -- image decoding vulnerabilities (ef253f8b-0727-11d9-b45d-000c41e2cdad)	Nessus	FreeBSD Local Security Checks	high
19106	FreeBSD : linux_base -- vulnerabilities in Red Hat 7.1 libraries (bf2e7483-d3fa-440d-8c6e-8f1f2f018818)	Nessus	FreeBSD Local Security Checks	critical
2878	Mac OS X Multiple Vulnerabilities (Security Update 2005-005)	Nessus Network Monitor	Web Clients	high
18189	Mac OS X Multiple Vulnerabilities (Security Update 2005-005)	Nessus	MacOS X Local Security Checks	high
16444	GLSA-200502-07 : OpenMotif: Multiple vulnerabilities in libXpm	Nessus	Gentoo Local Security Checks	critical
16144	RHEL 2.1 : lesstif (RHSA-2005:004)	Nessus	Red Hat Local Security Checks	critical
15943	RHEL 2.1 / 3 : openmotif (RHSA-2004:537)	Nessus	Red Hat Local Security Checks	critical
15659	Debian DSA-561-1 : xfree86 - integer and stack overflows	Nessus	Debian Local Security Checks	high
15658	Debian DSA-560-1 : lesstif1-1 - integer and stack overflows	Nessus	Debian Local Security Checks	high
15635	Mandrake Linux Security Advisory : xorg-x11 (MDKSA-2004:124)	Nessus	Mandriva Local Security Checks	high
15447	GLSA-200410-09 : LessTif: Integer and stack overflows in libXpm	Nessus	Gentoo Local Security Checks	high
15440	RHEL 2.1 : XFree86 (RHSA-2004:479)	Nessus	Red Hat Local Security Checks	high
15426	RHEL 3 : XFree86 (RHSA-2004:478)	Nessus	Red Hat Local Security Checks	high
14821	GLSA-200409-34 : X.org, XFree86: Integer and stack overflows in libXpm	Nessus	Gentoo Local Security Checks	high
14775	SUSE-SA:2004:034: XFree86-libs, xshared	Nessus	SuSE Local Security Checks	high
14755	Mandrake Linux Security Advisory : XFree86 (MDKSA-2004:099)	Nessus	Mandriva Local Security Checks	high
14754	Mandrake Linux Security Advisory : libxpm4 (MDKSA-2004:098)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2004-0687

critical

Tenable Plugins

critical

high

high

high

high

high

high

critical

high

high

critical

critical

critical

high

high

high

high

high

high

high

high

high

high