Alerts This Week
Warning Icon 1 525
Alerts This Week
Warning Icon 1 525

Arch Linux: 201605-1 High Severity Advisory For Imlib2 Security Issues

Calendar May 04, 2016 User Avatar LinuxSecurity Advisories
1 - 2 min read
Archlinux Large Esm H500
Topics%20covered

Topics Covered

security advisory high severity information leak application crash imlib2
The package imlib2 before version 1.4.9-1 is vulnerable to multiple issues that can lead to information leakage, application crash or arbitrary code execution. 
Arch Linux Security Advisory ASA-201605-1
========================================
Severity: High
Date    : 2016-05-01
CVE-ID  : CVE-2011-5326 CVE-2016-3993 CVE-2016-3994 CVE-2016-4024
Package : imlib2
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package imlib2 before version 1.4.9-1 is vulnerable to multiple
issues that can lead to information leakage, application crash or
arbitrary code execution.

Resolution
=========
Upgrade to 1.4.9-1.

# pacman -Syu "imlib2>=1.4.9-1"

The problems have been fixed upstream in version 1.4.9.

Workaround
=========
None.

Description
==========
- CVE-2011-5326 (denial of service)

Kevin Ryde discovered that attempting to draw a 2x1 radi ellipse results
in a floating point exception.

- CVE-2016-3993 (information leakage)

Yuriy M. Kaminskiy discovered that drawing using coordinates from an
untrusted source could lead to an out-of-bound memory read, which in
turn could result in an application crash.

- CVE-2016-3994 (information Leakage)

Jakub Wilk discovered that a malformed image could lead to an
out-of-bound read in the GIF loader, which may result in an application
crash or information leak.

- CVE-2016-4024 (arbitrary code execution)

Yuriy M. Kaminskiy discovered an integer overflow that could lead to an
insufficient heap allocation and out-of-bound memory write.

Impact
=====
An attacker can leverage vulnerable library calls in imlib2 to crash an
application, or read/write to the application's memory. This can lead to
potential information leak or modification of the application's flow.

References
=========
https://www.cve.org/CVERecord?id=CVE-2011-5326
https://www.cve.org/CVERecord?id=CVE-2016-3993
https://www.cve.org/CVERecord?id=CVE-2016-3994
https://www.cve.org/CVERecord?id=CVE-2016-4021

Related News

Your message here