Vulnerabilities > CVE-2006-4806 - Arbitrary Code Execution vulnerability in IMlib2 Library

047910
CVSS 5.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
high complexity
enlightenment
nessus

Summary

Multiple integer overflows in imlib2 allow user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) ARGB (loader_argb.c), (2) PNG (loader_png.c), (3) LBM (loader_lbm.c), (4) JPEG (loader_jpeg.c), or (5) TIFF (loader_tiff.c) images.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_IMLIB2-LOADERS-2245.NASL
    descriptionVarious security problems have been fixed in the imlib2 image loaders : - A stack-based buffer overflow in loader_pnm.c could be used by attackers to execute code by supplying a handcrafted PNM image. (CVE-2006-4809) - A heap buffer overflow in loader_tga.c could potentially be used by attackers to execute code by supplying a handcrafted TGA image. (CVE-2006-4808) - A out of bounds memory read in loader_tga.c could be used to crash the imlib2 using application with a handcrafted TGA image. (CVE-2006-4807) - Various integer overflows in width*height calculations could lead to heap overflows which could potentially be used to execute code. Affected here are the ARGB, PNG, LBM, JPEG and TIFF loaders. (CVE-2006-4806) Additionally loading of TIFF images on 64bit systems now works.
    last seen2020-06-01
    modified2020-06-02
    plugin id29463
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29463
    titleSuSE 10 Security Update : imlib2-loaders (ZYPP Patch Number 2245)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(29463);
      script_version ("1.14");
      script_cvs_date("Date: 2019/10/25 13:36:28");
    
      script_cve_id("CVE-2006-4806", "CVE-2006-4807", "CVE-2006-4808", "CVE-2006-4809");
    
      script_name(english:"SuSE 10 Security Update : imlib2-loaders (ZYPP Patch Number 2245)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Various security problems have been fixed in the imlib2 image 
    loaders :
    
      - A stack-based buffer overflow in loader_pnm.c could be
        used by attackers to execute code by supplying a
        handcrafted PNM image. (CVE-2006-4809)
    
      - A heap buffer overflow in loader_tga.c could potentially
        be used by attackers to execute code by supplying a
        handcrafted TGA image. (CVE-2006-4808)
    
      - A out of bounds memory read in loader_tga.c could be
        used to crash the imlib2 using application with a
        handcrafted TGA image. (CVE-2006-4807)
    
      - Various integer overflows in width*height calculations
        could lead to heap overflows which could potentially be
        used to execute code. Affected here are the ARGB, PNG,
        LBM, JPEG and TIFF loaders. (CVE-2006-4806)
    
    Additionally loading of TIFF images on 64bit systems now works."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2006-4806.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2006-4807.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2006-4808.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2006-4809.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 2245.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:0, reference:"imlib2-loaders-1.2.1-17.7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-156.NASL
    descriptionM Joonas Pihlaja discovered several vulnerabilities in the Imlib2 graphics library. The load() function of several of the Imlib2 image loaders does not check the width and height of an image before allocating memory. As a result, a carefully crafted image file can trigger a segfault when an application using Imlib2 attempts to view the image. (CVE-2006-4806) The tga loader fails to bounds check input data to make sure the input data doesn load outside the memory mapped region. (CVE-2006-4807) The RLE decoding loops of the load() function in the tga loader does not check that the count byte of an RLE packet doesn cause a heap overflow of the pixel buffer. (CVE-2006-4808) The load() function of the pnm loader writes arbitrary length user data into a fixed size stack allocated buffer buf[] without bounds checking. (CVE-2006-4809) Updated packages have been patched to prevent these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37033
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37033
    titleMandrake Linux Security Advisory : imlib2 (MDKSA-2007:156)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2007:156. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(37033);
      script_version ("1.12");
      script_cvs_date("Date: 2019/08/02 13:32:49");
    
      script_cve_id("CVE-2006-4806", "CVE-2006-4807", "CVE-2006-4808", "CVE-2006-4809");
      script_bugtraq_id(20903);
      script_xref(name:"MDKSA", value:"2007:156");
    
      script_name(english:"Mandrake Linux Security Advisory : imlib2 (MDKSA-2007:156)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "M Joonas Pihlaja discovered several vulnerabilities in the Imlib2
    graphics library.
    
    The load() function of several of the Imlib2 image loaders does not
    check the width and height of an image before allocating memory. As a
    result, a carefully crafted image file can trigger a segfault when an
    application using Imlib2 attempts to view the image. (CVE-2006-4806)
    
    The tga loader fails to bounds check input data to make sure the input
    data doesn load outside the memory mapped region. (CVE-2006-4807)
    
    The RLE decoding loops of the load() function in the tga loader does
    not check that the count byte of an RLE packet doesn cause a heap
    overflow of the pixel buffer. (CVE-2006-4808)
    
    The load() function of the pnm loader writes arbitrary length user
    data into a fixed size stack allocated buffer buf[] without bounds
    checking. (CVE-2006-4809)
    
    Updated packages have been patched to prevent these issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:imlib2-data");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64imlib2_1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64imlib2_1-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64imlib2_1-filters");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64imlib2_1-loaders");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libimlib2_1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libimlib2_1-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libimlib2_1-filters");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libimlib2_1-loaders");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/08/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2007.1", reference:"imlib2-data-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64imlib2_1-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64imlib2_1-devel-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64imlib2_1-filters-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64imlib2_1-loaders-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libimlib2_1-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libimlib2_1-devel-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libimlib2_1-filters-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libimlib2_1-loaders-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_92442C4B6F4A11DBBD280012F06707F0.NASL
    descriptionSecunia reports : Some vulnerabilities have been reported in imlib2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. The vulnerabilities are caused due to unspecified errors within the processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images. This may be exploited to execute arbitrary code by e.g. tricking a user into opening a specially crafted image file with an application using imlib2.
    last seen2020-06-01
    modified2020-06-02
    plugin id23665
    published2006-11-20
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/23665
    titleFreeBSD : Imlib2 -- multiple image file processing vulnerabilities (92442c4b-6f4a-11db-bd28-0012f06707f0)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_EXTRAS_2006-004.NASL
    descriptionM. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user
    last seen2020-06-01
    modified2020-06-02
    plugin id62278
    published2012-09-24
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62278
    titleFedora Extras : imlib2-1.2.1-2 (2006-004)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_IMLIB2-LOADERS-2265.NASL
    descriptionVarious security problems have been fixed in the imlib2 image loaders : CVE-2006-4809: A stack-based buffer overflow in loader_pnm.c could be used by attackers to execute code by supplying a handcrafted PNM image. CVE-2006-4808: A heap buffer overflow in loader_tga.c could potentially be used by attackers to execute code by supplying a handcrafted TGA image. CVE-2006-4807: A out of bounds memory read in loader_tga.c could be used to crash the imlib2 using application with a handcrafted TGA image. CVE-2006-4806: Various integer overflows in width*height calculations could lead to heap overflows which could potentially be used to execute code. Affected here are the ARGB, PNG, LBM, JPEG and TIFF loaders. Additionaly loading of TIFF images on 64bit systems is now possible. This update obsoletes the previous one, which had problems with JPEG loading.
    last seen2020-06-01
    modified2020-06-02
    plugin id27271
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27271
    titleopenSUSE 10 Security Update : imlib2-loaders (imlib2-loaders-2265)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-376-1.NASL
    descriptionM. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user
    last seen2020-06-01
    modified2020-06-02
    plugin id27957
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27957
    titleUbuntu 5.10 / 6.06 LTS / 6.10 : imlib2 vulnerabilities (USN-376-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200612-20.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200612-20 (imlib2: Multiple vulnerabilities) M. Joonas Pihlaja discovered several buffer overflows in loader_argb.c, loader_png.c, loader_lbm.c, loader_jpeg.c, loader_tiff.c, loader_tga.c, loader_pnm.c and an out-of-bounds memory read access in loader_tga.c. Impact : An attacker can entice a user to process a specially crafted JPG, ARGB, PNG, LBM, PNM, TIFF, or TGA image with an
    last seen2020-06-01
    modified2020-06-02
    plugin id23957
    published2006-12-30
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23957
    titleGLSA-200612-20 : imlib2: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_IMLIB2-LOADERS-2244.NASL
    descriptionVarious security problems have been fixed in the imlib2 image loaders : CVE-2006-4809: A stack-based buffer overflow in loader_pnm.c could be used by attackers to execute code by supplying a handcrafted PNM image. CVE-2006-4808: A heap buffer overflow in loader_tga.c could potentially be used by attackers to execute code by supplying a handcrafted TGA image. CVE-2006-4807: A out of bounds memory read in loader_tga.c could be used to crash the imlib2 using application with a handcrafted TGA image. CVE-2006-4806: Various integer overflows in width*height calculations could lead to heap overflows which could potentially be used to execute code. Affected here are the ARGB, PNG, LBM, JPEG and TIFF loaders. Additionaly loading of TIFF images on 64bit systems is now possible.
    last seen2020-06-01
    modified2020-06-02
    plugin id27270
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27270
    titleopenSUSE 10 Security Update : imlib2-loaders (imlib2-loaders-2244)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_IMLIB2-LOADERS-2261.NASL
    descriptionVarious security problems have been fixed in the imlib2 image loaders : - A stack-based buffer overflow in loader_pnm.c could be used by attackers to execute code by supplying a handcrafted PNM image. (CVE-2006-4809) - A heap buffer overflow in loader_tga.c could potentially be used by attackers to execute code by supplying a handcrafted TGA image. (CVE-2006-4808) - A out of bounds memory read in loader_tga.c could be used to crash the imlib2 using application with a handcrafted TGA image. (CVE-2006-4807) - Various integer overflows in width*height calculations could lead to heap overflows which could potentially be used to execute code. Affected here are the ARGB, PNG, LBM, JPEG and TIFF loaders. (CVE-2006-4806) Additionally loading of TIFF images on 64bit systems now works. This obsoletes a previous update, which had broken JPEG loading.
    last seen2020-06-01
    modified2020-06-02
    plugin id29464
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29464
    titleSuSE 10 Security Update : imlib2-loaders (ZYPP Patch Number 2261)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-198.NASL
    descriptionM Joonas Pihlaja discovered several vulnerabilities in the Imlib2 graphics library. The load() function of several of the Imlib2 image loaders does not check the width and height of an image before allocating memory. As a result, a carefully crafted image file can trigger a segfault when an application using Imlib2 attempts to view the image. (CVE-2006-4806) The tga loader fails to bounds check input data to make sure the input data doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id24583
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24583
    titleMandrake Linux Security Advisory : imlib2 (MDKSA-2006:198-1)

Statements

contributorMark J Cox
lastmodified2006-11-22
organizationRed Hat
statementNot vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2.