Mandrake Linux Security Advisory : libxpm4 (MDKSA-2004:137-1)

Critical Nessus Plugin ID 15793


The remote Mandrake Linux host is missing one or more security updates.


The XPM library which is part of the XFree86/XOrg project is used by several GUI applications to process XPM image files.

A source code review of the XPM library, done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs. These bugs include integer overflows, out-of-bounds memory access, shell command execution, path traversal, and endless loops.

These bugs can be exploited by remote and/or local attackers to gain access to the system or to escalate their local privileges, by using a specially crafted xpm image.

Update :

The previous libxpm4 update had a linking error that resulted in a missing s_popen symbol error running applications dependent on the library. In addition, the file path checking in the security updates prevented some applications, like gimp-2.0 from being able to save xpm format images.

Updated packages are patched to correct all these issues.


Update the affected packages.

Plugin Details

Severity: Critical

ID: 15793

File Name: mandrake_MDKSA-2004-137.nasl

Version: $Revision: 1.16 $

Type: local

Published: 2004/11/23

Modified: 2014/06/27

Dependencies: 12634

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lib64xpm4, p-cpe:/a:mandriva:linux:lib64xpm4-devel, p-cpe:/a:mandriva:linux:libxpm4, p-cpe:/a:mandriva:linux:libxpm4-devel, cpe:/o:mandrakesoft:mandrake_linux:10.0, cpe:/o:mandrakesoft:mandrake_linux:10.1, cpe:/o:mandrakesoft:mandrake_linux:9.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2004/11/29

Reference Information

CVE: CVE-2004-0914

MDKSA: 2004:137-1