Vulnerabilities > CVE-2004-0688 - Remote Buffer Overflow vulnerability in libXpm Image Decoding

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
x-org
xfree86-project
openbsd
suse
nessus
NVD
Published: 2004-10-20
Updated: 2018-10-19

Summary

Multiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file.

Vulnerable Configurations

Part Description Count
Application
X.Org
2
Application
Xfree86_Project
12
OS
Openbsd
2
OS
Suse
7

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-098.NASL
    descriptionChris Evans found several stack and integer overflows in the libXpm code of X.Org/XFree86 (from which the libxpm code is derived) : Stack overflows (CVE-2004-0687) : Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code leads to a stack based overflow (parse.c). Stack overflow reading pixel values in ParseAndPutPixels (create.c) as well as ParsePixels (parse.c). Integer Overflows (CVE-2004-0688) : Integer overflow allocating colorTable in xpmParseColors (parse.c) - probably a crashable but not exploitable offence. The updated packages have patches from Chris Evans and Matthieu Herrb to address these vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id14754
    published2004-09-16
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14754
    titleMandrake Linux Security Advisory : libxpm4 (MDKSA-2004:098)
    code
    #%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2004:098. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(14754);
  script_version ("1.20");
  script_cvs_date("Date: 2019/08/02 13:32:47");

  script_cve_id("CVE-2004-0687", "CVE-2004-0688");
  script_xref(name:"MDKSA", value:"2004:098");

  script_name(english:"Mandrake Linux Security Advisory : libxpm4 (MDKSA-2004:098)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandrake Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Chris Evans found several stack and integer overflows in the libXpm
code of X.Org/XFree86 (from which the libxpm code is derived) :

Stack overflows (CVE-2004-0687) :

Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors
code leads to a stack based overflow (parse.c).

Stack overflow reading pixel values in ParseAndPutPixels (create.c) as
well as ParsePixels (parse.c).

Integer Overflows (CVE-2004-0688) :

Integer overflow allocating colorTable in xpmParseColors (parse.c) -
probably a crashable but not exploitable offence.

The updated packages have patches from Chris Evans and Matthieu Herrb
to address these vulnerabilities."
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64xpm4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64xpm4-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libxpm4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libxpm4-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2004/09/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/16");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64xpm4-3.4k-27.1.100mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64xpm4-devel-3.4k-27.1.100mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libxpm4-3.4k-27.1.100mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libxpm4-devel-3.4k-27.1.100mdk", yank:"mdk")) flag++;

if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64xpm4-3.4k-27.1.92mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64xpm4-devel-3.4k-27.1.92mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libxpm4-3.4k-27.1.92mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libxpm4-devel-3.4k-27.1.92mdk", yank:"mdk")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200502-07.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200502-07 (OpenMotif: Multiple vulnerabilities in libXpm) Multiple vulnerabilities, such as buffer overflows, out of bounds memory access or directory traversals, have been discovered in libXpm that is shipped as a part of the X Window System (see GLSA 200409-34 and 200411-28). OpenMotif, an application that includes this library, suffers from the same issues. Impact : A carefully-crafted XPM file could crash applications making use of the OpenMotif toolkit, potentially allowing the execution of arbitrary code with the privileges of the user running the application. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id16444
    published2005-02-14
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/16444
    titleGLSA-200502-07 : OpenMotif: Multiple vulnerabilities in libXpm
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200502-07.
#
# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(16444);
  script_version("1.20");
  script_cvs_date("Date: 2019/08/02 13:32:42");

  script_cve_id("CVE-2004-0687", "CVE-2004-0688", "CVE-2004-0914");
  script_xref(name:"GLSA", value:"200502-07");

  script_name(english:"GLSA-200502-07 : OpenMotif: Multiple vulnerabilities in libXpm");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-200502-07
(OpenMotif: Multiple vulnerabilities in libXpm)

    Multiple vulnerabilities, such as buffer overflows, out of bounds
    memory access or directory traversals, have been discovered in libXpm
    that is shipped as a part of the X Window System (see GLSA 200409-34
    and 200411-28). OpenMotif, an application that includes this library,
    suffers from the same issues.
  
Impact :

    A carefully-crafted XPM file could crash applications making use of the
    OpenMotif toolkit, potentially allowing the execution of arbitrary code
    with the privileges of the user running the application.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200409-34"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200411-28"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200502-07"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All OpenMotif users should upgrade to the latest version:
    # emerge --sync
    # emerge --ask --oneshot --verbose x11-libs/openmotif
    Note: You should run 'revdep-rebuild' to ensure that all applications
    linked to OpenMotif are properly rebuilt."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openmotif");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2005/02/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/14");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"x11-libs/openmotif", unaffected:make_list("ge 2.2.3-r1", "rge 2.1.30-r7"), vulnerable:make_list("lt 2.2.3-r1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenMotif");
}
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-27-1.NASL
    descriptionChris Evans discovered several stack overflows in the versions of libXpm shipped by X.Org, XFree86, and LessTif. These overflows were fixed in the Warty development tree before its release. Mathieu Herrb of OpenBSD subsequently discovered that the original patch was insufficient to address these overflows, and thus the version of libxpm4 shipped with Warty is still vulnerable to the original overflows. These overflows do not allow privilege escalation through the X server; the overflows are in a client-side library, allowing arbitrary code execution with the privileges of the user viewing a malicious pixmap. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id20642
    published2006-01-15
    reporterUbuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20642
    titleUbuntu 4.10 : libxpm4 vulnerability (USN-27-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-099.NASL
    descriptionChris Evans found several stack and integer overflows in the libXpm code of X.Org/XFree86 : Stack overflows (CVE-2004-0687) : Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code leads to a stack based overflow (parse.c). Stack overflow reading pixel values in ParseAndPutPixels (create.c) as well as ParsePixels (parse.c). Integer Overflows (CVE-2004-0688) : Integer overflow allocating colorTable in xpmParseColors (parse.c) - probably a crashable but not exploitable offence. The updated packages have patches from Chris Evans and Matthieu Herrb to address these vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id14755
    published2004-09-16
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14755
    titleMandrake Linux Security Advisory : XFree86 (MDKSA-2004:099)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-561.NASL
    descriptionChris Evans discovered several stack and integer overflows in the libXpm library which is provided by X.Org, XFree86 and LessTif.
    last seen2020-06-01
    modified2020-06-02
    plugin id15659
    published2004-11-10
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15659
    titleDebian DSA-561-1 : xfree86 - integer and stack overflows
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-004.NASL
    descriptionAn updated lesstif package that fixes flaws in the Xpm library is now available for Red Hat Enterprise Linux 2.1. LessTif provides libraries which implement the Motif industry standard graphical user interface. During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the libXpm library used to decode XPM (X PixMap) images. A vulnerable version of this library was found within Lesstif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687,CVE-2004-0688, and CVE-2004-0914 to these issues. Users of LessTif are advised to upgrade to this erratum package, which contains backported security patches to the embedded libXpm library.
    last seen2020-06-01
    modified2020-06-02
    plugin id16144
    published2005-01-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/16144
    titleRHEL 2.1 : lesstif (RHSA-2005:004)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200409-34.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200409-34 (X.org, XFree86: Integer and stack overflows in libXpm) Chris Evans has discovered multiple integer and stack overflow vulnerabilities in the X Pixmap library, libXpm, which is a part of the X Window System. These overflows can be exploited by the execution of a malicious XPM file, which can crash applications that are dependent on libXpm. Impact : A carefully-crafted XPM file could crash applications that are linked against libXpm, potentially allowing the execution of arbitrary code with the privileges of the user running the application. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id14821
    published2004-09-27
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/14821
    titleGLSA-200409-34 : X.org, XFree86: Integer and stack overflows in libXpm
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-537.NASL
    descriptionUpdated openmotif packages that fix flaws in the Xpm image library are now available. OpenMotif provides libraries which implement the Motif industry standard graphical user interface. During a source code audit, Chris Evans and others discovered several stack overflow flaws and an integer overflow flaw in the libXpm library used to decode XPM (X PixMap) images. A vulnerable version of this library was found within OpenMotif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to these issues. Users of OpenMotif are advised to upgrade to these erratum packages, which contain backported security patches to the embedded libXpm library.
    last seen2020-06-01
    modified2020-06-02
    plugin id15943
    published2004-12-13
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15943
    titleRHEL 2.1 / 3 : openmotif (RHSA-2004:537)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-560.NASL
    descriptionChris Evans discovered several stack and integer overflows in the libXpm library which is included in LessTif.
    last seen2020-06-01
    modified2020-06-02
    plugin id15658
    published2004-11-10
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15658
    titleDebian DSA-560-1 : lesstif1-1 - integer and stack overflows
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0524.NASL
    descriptionRed Hat Network Satellite Server version 4.2.3 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components. This update has been rated as having low security impact by the Red Hat Security Response Team. This release corrects several security vulnerabilities in various components shipped as part of the Red Hat Network Satellite Server 4.2. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments. Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting, denial-of-service, or information disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197, CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388) A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349) A denial-of-service flaw was fixed in the jabberd server. (CVE-2006-1329) Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306) Multiple flaws were fixed in the IBM Java 1.4.2 Runtime. (CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789) Multiple flaws were fixed in the OpenMotif package. (CVE-2004-0687, CVE-2004-0688, CVE-2004-0914, CVE-2005-3964, CVE-2005-0605) A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898) Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128, CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355, CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195, CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510) Users of Red Hat Network Satellite Server 4.2 are advised to upgrade to 4.2.3, which resolves these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id43837
    published2010-01-10
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43837
    titleRHEL 3 / 4 : Satellite Server (RHSA-2008:0524)
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_9399.NASL
    descriptionThis update fixes following security problems in OpenMotif : - Several stack overflows in the libXPM image handling library contained within OpenMotif were fixed. (CVE-2004-0687) - Several integer overflow problems in the libXPM image handling library contained within OpenMotif were fixed. (CVE-2004-0688)
    last seen2020-06-01
    modified2020-06-02
    plugin id41332
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41332
    titleSuSE9 Security Update : openmotif (YOU Patch Number 9399)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_BF2E7483D3FA440D8C6E8F1F2F018818.NASL
    descriptionTrevor Johnson reported that the Red Hat Linux RPMs used by linux_base contained multiple older vulnerabilities, such as a DNS resolver issue and critical bugs in X font handling and XPM image handling.
    last seen2020-06-01
    modified2020-06-02
    plugin id19106
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19106
    titleFreeBSD : linux_base -- vulnerabilities in Red Hat 7.1 libraries (bf2e7483-d3fa-440d-8c6e-8f1f2f018818)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2005-005.NASL
    descriptionThe remote host is missing Security Update 2005-005. This security update contains fixes for the following applications : - Apache - AppKit - AppleScript - Bluetooth - Directory Services - Finder - Foundation - HelpViewer - LDAP - libXpm - lukemftpd - NetInfo - ServerAdmin - sudo - Terminal - VPN These programs have multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id18189
    published2005-05-03
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18189
    titleMac OS X Multiple Vulnerabilities (Security Update 2005-005)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_33132.NASL
    descriptions700_800 11.23 X/Motif Runtime Periodic Patch : Potential security vulnerabilities have been identified with Motif applications running on HP-UX. The potential vulnerabilities could be exploited to allow remote execution of arbitrary code or Denial for Service (DoS). References: CERT VU#537878, VU#882750.
    last seen2020-06-01
    modified2020-06-02
    plugin id21658
    published2006-06-06
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21658
    titleHP-UX PHSS_33132 : HP-UX Running Motif Applications Remote Arbitrary Code Execution, Denial of Service (DoS) (HPSBUX02119 SSRT4848 rev.1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200410-09.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200410-09 (LessTif: Integer and stack overflows in libXpm) Chris Evans has discovered various integer and stack overflows in libXpm, which is shipped as a part of the X Window System. LessTif, an application that includes this library, is susceptible to the same issues. Impact : A carefully-crafted XPM file could crash applications that are linked against libXpm, such as LessTif, potentially allowing the execution of arbitrary code with the privileges of the user running the application. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id15447
    published2004-10-11
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15447
    titleGLSA-200410-09 : LessTif: Integer and stack overflows in libXpm
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-479.NASL
    descriptionUpdated XFree86 packages that fix several security issues in libXpm, as well as other bug fixes, are now available for Red Hat Enterprise Linux 2.1. XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the X.Org libXpm library used to decode XPM (X PixMap) images. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0692 to these issues. These packages also contain a bug fix to lower the RGB output voltage on Dell servers using the ATI Radeon 7000m card. Users are advised to upgrade to these erratum packages which contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id15440
    published2004-10-08
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15440
    titleRHEL 2.1 : XFree86 (RHSA-2004:479)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-124.NASL
    descriptionChris Evans found several stack and integer overflows in the libXpm code of X.Org/XFree86 : Stack overflows (CVE-2004-0687) : Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code leads to a stack based overflow (parse.c). Stack overflow reading pixel values in ParseAndPutPixels (create.c) as well as ParsePixels (parse.c). Integer Overflows (CVE-2004-0688) : Integer overflow allocating colorTable in xpmParseColors (parse.c) - probably a crashable but not exploitable offence. Additionally, the xorg-x11 packages have been patched with a backport from cvs to resolve a failure running the lsb-test-vsw4 test suite, which will soon be required for LSB2.0 compliance. The updated packages have patches from Chris Evans and Matthieu Herrb to address these vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id15635
    published2004-11-05
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15635
    titleMandrake Linux Security Advisory : xorg-x11 (MDKSA-2004:124)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_33130.NASL
    descriptions700_800 11.11 X/Motif Runtime Periodic Patch : Potential security vulnerabilities have been identified with Motif applications running on HP-UX. The potential vulnerabilities could be exploited to allow remote execution of arbitrary code or Denial for Service (DoS). References: CERT VU#537878, VU#882750.
    last seen2020-06-01
    modified2020-06-02
    plugin id21657
    published2006-06-06
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21657
    titleHP-UX PHSS_33130 : HP-UX Running Motif Applications Remote Arbitrary Code Execution, Denial of Service (DoS) (HPSBUX02119 SSRT4848 rev.1)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_33129.NASL
    descriptions700_800 11.00 X/Motif 32bit Runtime Periodic Patch : Potential security vulnerabilities have been identified with Motif applications running on HP-UX. The potential vulnerabilities could be exploited to allow remote execution of arbitrary code or Denial for Service (DoS). References: CERT VU#537878, VU#882750.
    last seen2020-06-01
    modified2020-06-02
    plugin id21656
    published2006-06-06
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21656
    titleHP-UX PHSS_33129 : HP-UX Running Motif Applications Remote Arbitrary Code Execution, Denial of Service (DoS) (HPSBUX02119 SSRT4848 rev.1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_EF253F8B072711D9B45D000C41E2CDAD.NASL
    descriptionChris Evans discovered several vulnerabilities in the libXpm image decoder : - A stack-based buffer overflow in xpmParseColors - An integer overflow in xpmParseColors - A stack-based buffer overflow in ParsePixels and ParseAndPutPixels The X11R6.8.1 release announcement reads : This version is purely a security release, addressing multiple integer and stack overflows in libXpm, the X Pixmap library; all known versions of X (both XFree86 and X.Org) are affected, so all users of X are strongly encouraged to upgrade.
    last seen2020-06-01
    modified2020-06-02
    plugin id19161
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19161
    titleFreeBSD : xpm -- image decoding vulnerabilities (ef253f8b-0727-11d9-b45d-000c41e2cdad)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2004_034.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2004:034 (XFree86-libs, xshared). Chris Evans reported three vulnerabilities in libXpm which can be exploited remotely by providing malformed XPM image files. The function xpmParseColors() is vulnerable to an integer overflow and a stack-based buffer overflow. The functions ParseAndPutPixels() as well as ParsePixels() is vulnerable to a stack-based buffer overflow too. Additionally Matthieu Herrb found two one-byte buffer overflows.
    last seen2020-06-01
    modified2020-06-02
    plugin id14775
    published2004-09-17
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14775
    titleSUSE-SA:2004:034: XFree86-libs, xshared
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-478.NASL
    descriptionUpdated XFree86 packages that fix several security flaws in libXpm, as well as other bugs, are now available for Red Hat Enterprise Linux 3. XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the X.Org libXpm library used to decode XPM (X PixMap) images. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0692 to these issues. A flaw was found in the X Display Manager (XDM). XDM is shipped with Red Hat Enterprise Linux, but is not used by default. XDM opened a chooserFd TCP socket even if the DisplayManager.requestPort parameter was set to 0. This allowed authorized users to access a machine remotely via X, even if the administrator had configured XDM to refuse such connections. Although XFree86 4.3.0 was not vulnerable to this issue, Red Hat Enterprise Linux 3 contained a backported patch which introduced this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0419 to this issue. Users are advised to upgrade to these erratum packages, which contain backported security patches to correct these and a number of other issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id15426
    published2004-10-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15426
    titleRHEL 3 : XFree86 (RHSA-2004:478)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-815.NASL
    description - Fri May 6 2005 Thomas Woerner <twoerner at redhat.com> 0.93-36-6.FC3.2 - fixed possible libXpm overflows (#151640) - allow to write XPM files with absolute path names again (#140815) - Fri Nov 26 2004 Thomas Woerner <twoerner at redhat.com> 0.93.36-6.FC3.1 - fixed CVE-2004-0687 (integer overflows) and CVE-2004-0688 (stack overflows) in embedded Xpm library (#135080) - latest Xpm patches: CVE-2004-0914 (#135081) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id19721
    published2005-09-17
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19721
    titleFedora Core 3 : lesstif-0.93.36-6.FC3.2 (2005-815)

Oval

accepted2013-04-29T04:15:47.744-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionMultiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file.
familyunix
idoval:org.mitre.oval:def:11796
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleMultiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file.
version26

Redhat

advisories
  • rhsa
    idRHSA-2004:537
  • rhsa
    idRHSA-2005:004
rpms
  • XFree86-0:4.3.0-69.EL
  • XFree86-100dpi-fonts-0:4.3.0-69.EL
  • XFree86-75dpi-fonts-0:4.3.0-69.EL
  • XFree86-ISO8859-14-100dpi-fonts-0:4.3.0-69.EL
  • XFree86-ISO8859-14-75dpi-fonts-0:4.3.0-69.EL
  • XFree86-ISO8859-15-100dpi-fonts-0:4.3.0-69.EL
  • XFree86-ISO8859-15-75dpi-fonts-0:4.3.0-69.EL
  • XFree86-ISO8859-2-100dpi-fonts-0:4.3.0-69.EL
  • XFree86-ISO8859-2-75dpi-fonts-0:4.3.0-69.EL
  • XFree86-ISO8859-9-100dpi-fonts-0:4.3.0-69.EL
  • XFree86-ISO8859-9-75dpi-fonts-0:4.3.0-69.EL
  • XFree86-Mesa-libGL-0:4.3.0-69.EL
  • XFree86-Mesa-libGLU-0:4.3.0-69.EL
  • XFree86-Xnest-0:4.3.0-69.EL
  • XFree86-Xvfb-0:4.3.0-69.EL
  • XFree86-base-fonts-0:4.3.0-69.EL
  • XFree86-cyrillic-fonts-0:4.3.0-69.EL
  • XFree86-devel-0:4.3.0-69.EL
  • XFree86-doc-0:4.3.0-69.EL
  • XFree86-font-utils-0:4.3.0-69.EL
  • XFree86-libs-0:4.3.0-69.EL
  • XFree86-libs-data-0:4.3.0-69.EL
  • XFree86-sdk-0:4.3.0-69.EL
  • XFree86-syriac-fonts-0:4.3.0-69.EL
  • XFree86-tools-0:4.3.0-69.EL
  • XFree86-truetype-fonts-0:4.3.0-69.EL
  • XFree86-twm-0:4.3.0-69.EL
  • XFree86-xauth-0:4.3.0-69.EL
  • XFree86-xdm-0:4.3.0-69.EL
  • XFree86-xfs-0:4.3.0-69.EL
  • openmotif-0:2.2.3-4.RHEL3.4
  • openmotif-debuginfo-0:2.2.3-4.RHEL3.4
  • openmotif-devel-0:2.2.3-4.RHEL3.4
  • openmotif21-0:2.1.30-9.RHEL3.4
  • openmotif21-debuginfo-0:2.1.30-9.RHEL3.4
  • jabberd-0:2.0s10-3.37.rhn
  • jabberd-0:2.0s10-3.38.rhn
  • java-1.4.2-ibm-0:1.4.2.10-1jpp.2.el3
  • java-1.4.2-ibm-0:1.4.2.10-1jpp.2.el4
  • java-1.4.2-ibm-devel-0:1.4.2.10-1jpp.2.el3
  • java-1.4.2-ibm-devel-0:1.4.2.10-1jpp.2.el4
  • jfreechart-0:0.9.20-3.rhn
  • openmotif21-0:2.1.30-11.RHEL4.6
  • openmotif21-0:2.1.30-9.RHEL3.8
  • openmotif21-debuginfo-0:2.1.30-11.RHEL4.6
  • openmotif21-debuginfo-0:2.1.30-9.RHEL3.8
  • perl-Crypt-CBC-0:2.24-1.el3
  • perl-Crypt-CBC-0:2.24-1.el4
  • rhn-apache-0:1.3.27-36.rhn.rhel3
  • rhn-apache-0:1.3.27-36.rhn.rhel4
  • rhn-modjk-ap13-0:1.2.23-2rhn.rhel3
  • rhn-modjk-ap13-0:1.2.23-2rhn.rhel4
  • rhn-modperl-0:1.29-16.rhel3
  • rhn-modperl-0:1.29-16.rhel4
  • rhn-modssl-0:2.8.12-8.rhn.10.rhel3
  • rhn-modssl-0:2.8.12-8.rhn.10.rhel4
  • tomcat5-0:5.0.30-0jpp_10rh

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

References