Off-by-one error in the __imlib_MergeUpdate function in lib/updates.c in imlib2 before 1.4.9 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted coordinates.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3075-1 advisory.

    Jakub Wilk discovered an out of bounds read in the GIF loader implementation in Imlib2. An attacker could     use this to cause a denial of service (application crash) or possibly obtain sensitive information.
    (CVE-2016-3994)

    Yuriy M. Kaminskiy discovered an off-by-one error when handling coordinates in Imlib2. An attacker could     use this to cause a denial of service (application crash). (CVE-2016-3993)

    Yuriy M. Kaminskiy discovered that integer overflows existed in Imlib2 when handling images with large     dimensions. An attacker could use this to cause a denial of service (memory exhaustion or application     crash). (CVE-2014-9771, CVE-2016-4024)

    Kevin Ryde discovered that the ellipse drawing code in Imlib2 would attempt to divide by zero when drawing     a 2x1 ellipse. An attacker could use this to cause a denial of service (application crash).
    (CVE-2011-5326)

    It was discovered that Imlib2 did not properly handled GIF images without colormaps. An attacker could use     this to cause a denial of service (application crash). This issue only affected Ubuntu 12.04 LTS and     Ubuntu 14.04 LTS. (CVE-2014-9762)

    It was discovered that Imlib2 did not properly handle some PNM images, leading to a division by zero. An     attacker could use this to cause a denial of service (application crash). This issue only affected Ubuntu     12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9763)

    It was discovered that Imlib2 did not properly handle error conditions when loading some GIF images. An     attacker could use this to cause a denial of service (application crash). This issue only affected Ubuntu     12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9764)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A new upstream update fixing several vulnerabilities. See the bug list for more information.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A new upstream update fixing several vulnerabilities. See the bug list for more information.

----

Rebase to the new upstream bugfix-only version. Add security fixes for the referenced bugs.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This imlib2 update to version 1.4.9 fixes the following issues :

Security issues fixed :

  - CVE-2011-5326: divide by 0 when drawing an ellipse of     height 1 (boo#974202)

  - CVE-2014-9762: segmentation fault on images without     colormap (boo#963796)

  - CVE-2014-9764: segmentation fault when opening     specifically crafted input (boo#963797)

  - CVE-2014-9763: division-by-zero crashes when opening     images (boo#963800)

  - CVE-2014-9771: exploitable integer overflow in
    _imlib_SaveImage (boo#974854)

  - CVE-2016-3994: imlib2/evas Potential DOS in giflib     loader (boo#973759)

  - CVE-2016-3993: off by 1 Potential DOS (boo#973761)

  - CVE-2016-4024: integer overflow resulting in     insufficient heap allocation (boo#975703)

Several vulnerabilities were discovered in imlib2, an image manipulation library.

  - CVE-2011-5326     Kevin Ryde discovered that attempting to draw a 2x1 radi     ellipse results in a floating point exception.

  - CVE-2014-9771     It was discovered that an integer overflow could lead to     invalid memory reads and unreasonably large memory     allocations.

  - CVE-2016-3993     Yuriy M. Kaminskiy discovered that drawing using     coordinates from an untrusted source could lead to an     out-of-bound memory read, which in turn could result in     an application crash.

  - CVE-2016-3994     Jakub Wilk discovered that a malformed image could lead     to an out-of-bound read in the GIF loader, which may     result in an application crash or information leak.

  - CVE-2016-4024     Yuriy M. Kaminskiy discovered an integer overflow that     could lead to an insufficient heap allocation and     out-of-bound memory write.

ID	Name	Product	Family	Severity
93399	Ubuntu 14.04 LTS / 16.04 LTS : Imlib2 vulnerabilities (USN-3075-1)	Nessus	Ubuntu Local Security Checks	critical
92218	Fedora 23 : imlib2 (2016-ff070e8faa)	Nessus	Fedora Local Security Checks	critical
92147	Fedora 22 : imlib2 (2016-b4212484d5)	Nessus	Fedora Local Security Checks	critical
92141	Fedora 24 : imlib2 (2016-ad6005ba92)	Nessus	Fedora Local Security Checks	critical
91270	openSUSE Security Update : imlib2 (openSUSE-2016-600)	Nessus	SuSE Local Security Checks	critical
90687	Debian DSA-3555-1 : imlib2 - security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2016-3993

high

Tenable Plugins

critical

critical

critical

critical

critical

critical