Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm before 10.47.07 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value.

The remote host is affected by the vulnerability described in GLSA-201311-08 (Netpbm: User-assisted arbitrary code execution)

    A stack-based buffer overflow exists in converter/ppm/xpmtoppm.c in       Netpbm.
  Impact :

    A remote attacker could entice a user to open a specially crafted XMP       file using Netpbm, possibly resulting in  execution of arbitrary code       with the privileges of the process, or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

From Red Hat Security Advisory 2011:1811 :

Updated netpbm packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The netpbm packages contain a library of functions which support programs for handling various graphics file formats, including .pbm (Portable Bit Map), .pgm (Portable Gray Map), .pnm (Portable Any Map), .ppm (Portable Pixel Map), and others.

Two heap-based buffer overflow flaws were found in the embedded JasPer library, which is used to provide support for Part 1 of the JPEG 2000 image compression standard in the jpeg2ktopam and pamtojpeg2k tools.
An attacker could create a malicious JPEG 2000 compressed image file that could cause jpeg2ktopam to crash or, potentially, execute arbitrary code with the privileges of the user running jpeg2ktopam.
These flaws do not affect pamtojpeg2k. (CVE-2011-4516, CVE-2011-4517)

A stack-based buffer overflow flaw was found in the way the xpmtoppm tool processed X PixMap (XPM) image files. An attacker could create a malicious XPM file that would cause xpmtoppm to crash or, potentially, execute arbitrary code with the privileges of the user running xpmtoppm. (CVE-2009-4274)

Red Hat would like to thank Jonathan Foote of the CERT Coordination Center for reporting the CVE-2011-4516 and CVE-2011-4517 issues.

All users of netpbm are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

The netpbm packages contain a library of functions which support programs for handling various graphics file formats, including .pbm (Portable Bit Map), .pgm (Portable Gray Map), .pnm (Portable Any Map), .ppm (Portable Pixel Map), and others.

Two heap-based buffer overflow flaws were found in the embedded JasPer library, which is used to provide support for Part 1 of the JPEG 2000 image compression standard in the jpeg2ktopam and pamtojpeg2k tools.
An attacker could create a malicious JPEG 2000 compressed image file that could cause jpeg2ktopam to crash or, potentially, execute arbitrary code with the privileges of the user running jpeg2ktopam.
These flaws do not affect pamtojpeg2k. (CVE-2011-4516, CVE-2011-4517)

A stack-based buffer overflow flaw was found in the way the xpmtoppm tool processed X PixMap (XPM) image files. An attacker could create a malicious XPM file that would cause xpmtoppm to crash or, potentially, execute arbitrary code with the privileges of the user running xpmtoppm. (CVE-2009-4274)

All users of netpbm are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Updated netpbm packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The netpbm packages contain a library of functions which support programs for handling various graphics file formats, including .pbm (Portable Bit Map), .pgm (Portable Gray Map), .pnm (Portable Any Map), .ppm (Portable Pixel Map), and others.

Two heap-based buffer overflow flaws were found in the embedded JasPer library, which is used to provide support for Part 1 of the JPEG 2000 image compression standard in the jpeg2ktopam and pamtojpeg2k tools.
An attacker could create a malicious JPEG 2000 compressed image file that could cause jpeg2ktopam to crash or, potentially, execute arbitrary code with the privileges of the user running jpeg2ktopam.
These flaws do not affect pamtojpeg2k. (CVE-2011-4516, CVE-2011-4517)

A stack-based buffer overflow flaw was found in the way the xpmtoppm tool processed X PixMap (XPM) image files. An attacker could create a malicious XPM file that would cause xpmtoppm to crash or, potentially, execute arbitrary code with the privileges of the user running xpmtoppm. (CVE-2009-4274)

Red Hat would like to thank Jonathan Foote of the CERT Coordination Center for reporting the CVE-2011-4516 and CVE-2011-4517 issues.

All users of netpbm are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

This update of netpbm fxes a stack-based buffer overflow that could be triggered while processing the contents of XPM headers in image files.
(CVE-2009-4274: CVSS v2 Base Score: 5.8 (moderate) (AV:N/AC:M/Au:N/C:N/I:P/A:P): Buffer Errors (CWE-119))

Marc Schoenefeld discovered a buffer overflow in Netpbm when loading certain images. If a user or automated system were tricked into opening a specially crafted XPM image, a remote attacker could crash Netpbm. The default compiler options for affected releases should reduce the vulnerability to a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Marc Schoenefeld discovered a stack-based buffer overflow in the XPM reader implementation in netpbm-free, a suite of image manipulation utilities. An attacker could cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value.

A vulnerability have been discovered and corrected in netpbm :

Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm before 10.47.07 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value (CVE-2009-4274).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.

The updated packages have been patched to correct this issue.

ID	Name	Product	Family	Severity
70868	GLSA-201311-08 : Netpbm: User-assisted arbitrary code execution	Nessus	Gentoo Local Security Checks	high
68404	Oracle Linux 4 / 5 : netpbm (ELSA-2011-1811)	Nessus	Oracle Linux Local Security Checks	high
61204	Scientific Linux Security Update : netpbm on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
57140	CentOS 4 / 5 : netpbm (CESA-2011:1811)	Nessus	CentOS Local Security Checks	high
57081	RHEL 4 / 5 : netpbm (RHSA-2011:1811)	Nessus	Red Hat Local Security Checks	high
49880	SuSE 10 Security Update : netpbm (ZYPP Patch Number 6852)	Nessus	SuSE Local Security Checks	high
46192	Ubuntu 8.04 LTS / 9.04 / 9.10 : netpbm-free vulnerability (USN-934-1)	Nessus	Ubuntu Local Security Checks	high
45407	Debian DSA-2026-1 : netpbm-free - stack-based buffer overflow	Nessus	Debian Local Security Checks	high
45003	SuSE 10 Security Update : netpbm (ZYPP Patch Number 6851)	Nessus	SuSE Local Security Checks	high
45002	SuSE 11 Security Update : libnetpbm (SAT Patch Number 1999)	Nessus	SuSE Local Security Checks	high
45001	openSUSE Security Update : libnetpbm-devel (libnetpbm-devel-2011)	Nessus	SuSE Local Security Checks	high
45000	openSUSE Security Update : libnetpbm-devel (libnetpbm-devel-2011)	Nessus	SuSE Local Security Checks	high
44999	openSUSE Security Update : libnetpbm-devel (libnetpbm-devel-2011)	Nessus	SuSE Local Security Checks	high
44998	SuSE9 Security Update : netpbm (YOU Patch Number 12588)	Nessus	SuSE Local Security Checks	high
44650	Mandriva Linux Security Advisory : netpbm (MDVSA-2010:039)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2009-4274

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high