Vulnerabilities > CVE-2005-0638

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
xli
altlinux
suse
nessus

Summary

xloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-694.NASL
    descriptionSeveral vulnerabilities have been discovered in xloadimage, an image viewer for X11. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-0638 Tavis Ormandy of the Gentoo Linux Security Audit Team has reported a flaw in the handling of compressed images, where shell meta-characters are not adequately escaped. - CAN-2005-0639 Insufficient validation of image properties have been discovered which could potentially result in buffer management errors.
    last seen2020-06-01
    modified2020-06-02
    plugin id17577
    published2005-03-21
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17577
    titleDebian DSA-694-1 : xloadimage - missing input sanitising, integer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-694. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17577);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2005-0638", "CVE-2005-0639");
      script_xref(name:"DSA", value:"694");
    
      script_name(english:"Debian DSA-694-1 : xloadimage - missing input sanitising, integer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in xloadimage, an image
    viewer for X11. The Common Vulnerabilities and Exposures project
    identifies the following problems :
    
      - CAN-2005-0638
        Tavis Ormandy of the Gentoo Linux Security Audit Team
        has reported a flaw in the handling of compressed
        images, where shell meta-characters are not adequately
        escaped.
    
      - CAN-2005-0639
    
        Insufficient validation of image properties have been
        discovered which could potentially result in buffer
        management errors."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298926"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2005/dsa-694"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the xloadimage package.
    
    For the stable distribution (woody) these problems have been fixed in
    version 4.1-10woody1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xloadimage");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/03/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/21");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"xloadimage", reference:"4.1-10woody1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200503-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200503-05 (xli, xloadimage: Multiple vulnerabilities) Tavis Ormandy of the Gentoo Linux Security Audit Team has reported that xli and xloadimage contain a flaw in the handling of compressed images, where shell meta-characters are not adequately escaped. Rob Holland of the Gentoo Linux Security Audit Team has reported that an xloadimage vulnerability in the handling of Faces Project images discovered by zen-parse in 2001 remained unpatched in xli. Additionally, it has been reported that insufficient validation of image properties in xli could potentially result in buffer management errors. Impact : Successful exploitation would permit a remote attacker to execute arbitrary shell commands, or arbitrary code with the privileges of the xloadimage or xli user. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id17261
    published2005-03-04
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17261
    titleGLSA-200503-05 : xli, xloadimage: Multiple vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-695.NASL
    descriptionSeveral vulnerabilities have been discovered in xli, an image viewer for X11. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2001-0775 A buffer overflow in the decoder for FACES format images could be exploited by an attacker to execute arbitrary code. This problem has already been fixed in xloadimage in DSA 069. - CAN-2005-0638 Tavis Ormandy of the Gentoo Linux Security Audit Team has reported a flaw in the handling of compressed images, where shell meta-characters are not adequately escaped. - CAN-2005-0639 Insufficient validation of image properties in have been discovered which could potentially result in buffer management errors.
    last seen2020-06-01
    modified2020-06-02
    plugin id17578
    published2005-03-21
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17578
    titleDebian DSA-695-1 : xli - buffer overflow, input sanitising, integer overflow
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-076.NASL
    descriptionA number of vulnerabilities have been found in the xli image viewer. Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a flaw in the handling of compressed images where shell meta-characters are not properly escaped (CVE-2005-0638). It was also found that insufficient validation of image properties could potentially result in buffer management errors (CVE-2005-0639). The updated packages have been patched to correct these problems.
    last seen2020-06-01
    modified2020-06-02
    plugin id18106
    published2005-04-21
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18106
    titleMandrake Linux Security Advisory : xli (MDKSA-2005:076)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-236.NASL
    descriptionThis update fixes CVE-2005-0638, a problem in the parsing of shell metacharacters in filenames. It also fixes bugs in handling of malformed TIFF and PBM/PNM/PPM issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18317
    published2005-05-19
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18317
    titleFedora Core 2 : xloadimage-4.1-34.FC2 (2005-236)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-332-01.NASL
    descriptionA new xloadimage package that fixes bugs in handling malformed tiff and pbm/pnm/ppm images, and in handling metacharacters in filenames is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file. Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM). A flaw was discovered in xloadimage where filenames were not properly quoted when calling the gunzip command. An attacker could create a file with a carefully crafted filename so that it would execute arbitrary commands if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0638 to this issue. Another bug in xloadimage would cause it to crash if called with certain invalid TIFF, PNM, PBM, or PPM file names. All users of xloadimage should upgrade to this erratum package which contains backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id67025
    published2013-06-29
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67025
    titleCentOS 3 : xloadimage (CESA-2005:332-01)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-237.NASL
    descriptionThis update fixes CVE-2005-0638, a problem in the parsing of shell metacharacters in filenames. It also fixes bugs in handling of malformed TIFF and PBM/PNM/PPM issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id19629
    published2005-09-12
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19629
    titleFedora Core 3 : xloadimage-4.1-34.FC3 (2005-237)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_310D00870FDE4929A41F96F17C5ADFFE.NASL
    descriptionTavis Ormandy discovered that xli and xloadimage attempt to decompress images by piping them through gunzip or similar decompression tools. Unfortunately, the unsanitized file name is included as part of the command. This is dangerous, as in some situations, such as mailcap processing, an attacker may control the input file name. As a result, an attacker may be able to cause arbitrary command execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id18892
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18892
    titleFreeBSD : xloadimage -- arbitrary command execution when handling compressed files (310d0087-0fde-4929-a41f-96f17c5adffe)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-060.NASL
    descriptionA number of vulnerabilities were discovered by Stefano Di Paola in the MySQL server : If an authenticated user had INSERT privileges on the
    last seen2020-06-01
    modified2020-06-02
    plugin id17601
    published2005-03-23
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17601
    titleMandrake Linux Security Advisory : MySQL (MDKSA-2005:060)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-332.NASL
    descriptionA new xloadimage package that fixes bugs in handling malformed tiff and pbm/pnm/ppm images, and in handling metacharacters in filenames is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file. Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM). A flaw was discovered in xloadimage where filenames were not properly quoted when calling the gunzip command. An attacker could create a file with a carefully crafted filename so that it would execute arbitrary commands if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0638 to this issue. Another bug in xloadimage would cause it to crash if called with certain invalid TIFF, PNM, PBM, or PPM file names. All users of xloadimage should upgrade to this erratum package which contains backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18093
    published2005-04-19
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18093
    titleRHEL 2.1 / 3 / 4 : xloadimage (RHSA-2005:332)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-332.NASL
    descriptionA new xloadimage package that fixes bugs in handling malformed tiff and pbm/pnm/ppm images, and in handling metacharacters in filenames is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file. Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM). A flaw was discovered in xloadimage where filenames were not properly quoted when calling the gunzip command. An attacker could create a file with a carefully crafted filename so that it would execute arbitrary commands if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0638 to this issue. Another bug in xloadimage would cause it to crash if called with certain invalid TIFF, PNM, PBM, or PPM file names. All users of xloadimage should upgrade to this erratum package which contains backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21924
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21924
    titleCentOS 3 / 4 : xloadimage (CESA-2005:332)

Oval

accepted2013-04-29T04:09:49.721-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionxloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command.
familyunix
idoval:org.mitre.oval:def:10898
statusaccepted
submitted2010-07-09T03:56:16-04:00
titlexloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command.
version25

Redhat

advisories
rhsa
idRHSA-2005:332
rpms
  • xloadimage-0:4.1-34.RHEL3
  • xloadimage-0:4.1-34.RHEL4
  • xloadimage-debuginfo-0:4.1-34.RHEL3
  • xloadimage-debuginfo-0:4.1-34.RHEL4