Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201605-1 ======================================== Severity: High Date : 2016-05-01 CVE-ID : CVE-2011-5326 CVE-2016-3993 CVE-2016-3994 CVE-2016-4024 Package : imlib2 Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package imlib2 before version 1.4.9-1 is vulnerable to multiple issues that can lead to information leakage, application crash or arbitrary code execution. Resolution ========= Upgrade to 1.4.9-1. # pacman -Syu "imlib2>=1.4.9-1" The problems have been fixed upstream in version 1.4.9. Workaround ========= None. Description ========== - CVE-2011-5326 (denial of service) Kevin Ryde discovered that attempting to draw a 2x1 radi ellipse results in a floating point exception. - CVE-2016-3993 (information leakage) Yuriy M. Kaminskiy discovered that drawing using coordinates from an untrusted source could lead to an out-of-bound memory read, which in turn could result in an application crash. - CVE-2016-3994 (information Leakage) Jakub Wilk discovered that a malformed image could lead to an out-of-bound read in the GIF loader, which may result in an application crash or information leak. - CVE-2016-4024 (arbitrary code execution) Yuriy M. Kaminskiy discovered an integer overflow that could lead to an insufficient heap allocation and out-of-bound memory write. Impact ===== An attacker can leverage vulnerable library calls in imlib2 to crash an application, or read/write to the application's memory. This can lead to potential information leak or modification of the application's flow. References ========= https://www.cve.org/CVERecord?id=CVE-2011-5326 https://www.cve.org/CVERecord?id=CVE-2016-3993 https://www.cve.org/CVERecord?id=CVE-2016-3994 https://www.cve.org/CVERecord?id=CVE-2016-4021