Vulnerabilities > CVE-2006-4809 - Arbitrary Code Execution vulnerability in IMlib2 Library
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in loader_pnm.c in imlib2 before 1.2.1, and possibly other versions, allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PNM image.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 9 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_IMLIB2-LOADERS-2245.NASL description Various security problems have been fixed in the imlib2 image loaders : - A stack-based buffer overflow in loader_pnm.c could be used by attackers to execute code by supplying a handcrafted PNM image. (CVE-2006-4809) - A heap buffer overflow in loader_tga.c could potentially be used by attackers to execute code by supplying a handcrafted TGA image. (CVE-2006-4808) - A out of bounds memory read in loader_tga.c could be used to crash the imlib2 using application with a handcrafted TGA image. (CVE-2006-4807) - Various integer overflows in width*height calculations could lead to heap overflows which could potentially be used to execute code. Affected here are the ARGB, PNG, LBM, JPEG and TIFF loaders. (CVE-2006-4806) Additionally loading of TIFF images on 64bit systems now works. last seen 2020-06-01 modified 2020-06-02 plugin id 29463 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29463 title SuSE 10 Security Update : imlib2-loaders (ZYPP Patch Number 2245) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(29463); script_version ("1.14"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2006-4806", "CVE-2006-4807", "CVE-2006-4808", "CVE-2006-4809"); script_name(english:"SuSE 10 Security Update : imlib2-loaders (ZYPP Patch Number 2245)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Various security problems have been fixed in the imlib2 image loaders : - A stack-based buffer overflow in loader_pnm.c could be used by attackers to execute code by supplying a handcrafted PNM image. (CVE-2006-4809) - A heap buffer overflow in loader_tga.c could potentially be used by attackers to execute code by supplying a handcrafted TGA image. (CVE-2006-4808) - A out of bounds memory read in loader_tga.c could be used to crash the imlib2 using application with a handcrafted TGA image. (CVE-2006-4807) - Various integer overflows in width*height calculations could lead to heap overflows which could potentially be used to execute code. Affected here are the ARGB, PNG, LBM, JPEG and TIFF loaders. (CVE-2006-4806) Additionally loading of TIFF images on 64bit systems now works." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2006-4806.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2006-4807.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2006-4808.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2006-4809.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 2245."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:0, reference:"imlib2-loaders-1.2.1-17.7")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-156.NASL description M Joonas Pihlaja discovered several vulnerabilities in the Imlib2 graphics library. The load() function of several of the Imlib2 image loaders does not check the width and height of an image before allocating memory. As a result, a carefully crafted image file can trigger a segfault when an application using Imlib2 attempts to view the image. (CVE-2006-4806) The tga loader fails to bounds check input data to make sure the input data doesn load outside the memory mapped region. (CVE-2006-4807) The RLE decoding loops of the load() function in the tga loader does not check that the count byte of an RLE packet doesn cause a heap overflow of the pixel buffer. (CVE-2006-4808) The load() function of the pnm loader writes arbitrary length user data into a fixed size stack allocated buffer buf[] without bounds checking. (CVE-2006-4809) Updated packages have been patched to prevent these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37033 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37033 title Mandrake Linux Security Advisory : imlib2 (MDKSA-2007:156) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2007:156. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(37033); script_version ("1.12"); script_cvs_date("Date: 2019/08/02 13:32:49"); script_cve_id("CVE-2006-4806", "CVE-2006-4807", "CVE-2006-4808", "CVE-2006-4809"); script_bugtraq_id(20903); script_xref(name:"MDKSA", value:"2007:156"); script_name(english:"Mandrake Linux Security Advisory : imlib2 (MDKSA-2007:156)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "M Joonas Pihlaja discovered several vulnerabilities in the Imlib2 graphics library. The load() function of several of the Imlib2 image loaders does not check the width and height of an image before allocating memory. As a result, a carefully crafted image file can trigger a segfault when an application using Imlib2 attempts to view the image. (CVE-2006-4806) The tga loader fails to bounds check input data to make sure the input data doesn load outside the memory mapped region. (CVE-2006-4807) The RLE decoding loops of the load() function in the tga loader does not check that the count byte of an RLE packet doesn cause a heap overflow of the pixel buffer. (CVE-2006-4808) The load() function of the pnm loader writes arbitrary length user data into a fixed size stack allocated buffer buf[] without bounds checking. (CVE-2006-4809) Updated packages have been patched to prevent these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:imlib2-data"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64imlib2_1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64imlib2_1-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64imlib2_1-filters"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64imlib2_1-loaders"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libimlib2_1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libimlib2_1-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libimlib2_1-filters"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libimlib2_1-loaders"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.1", reference:"imlib2-data-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64imlib2_1-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64imlib2_1-devel-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64imlib2_1-filters-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64imlib2_1-loaders-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libimlib2_1-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libimlib2_1-devel-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libimlib2_1-filters-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libimlib2_1-loaders-1.2.2-3.1mdv2007.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_92442C4B6F4A11DBBD280012F06707F0.NASL description Secunia reports : Some vulnerabilities have been reported in imlib2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. The vulnerabilities are caused due to unspecified errors within the processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images. This may be exploited to execute arbitrary code by e.g. tricking a user into opening a specially crafted image file with an application using imlib2. last seen 2020-06-01 modified 2020-06-02 plugin id 23665 published 2006-11-20 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23665 title FreeBSD : Imlib2 -- multiple image file processing vulnerabilities (92442c4b-6f4a-11db-bd28-0012f06707f0) NASL family Fedora Local Security Checks NASL id FEDORA_EXTRAS_2006-004.NASL description M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user last seen 2020-06-01 modified 2020-06-02 plugin id 62278 published 2012-09-24 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62278 title Fedora Extras : imlib2-1.2.1-2 (2006-004) NASL family SuSE Local Security Checks NASL id SUSE_IMLIB2-LOADERS-2265.NASL description Various security problems have been fixed in the imlib2 image loaders : CVE-2006-4809: A stack-based buffer overflow in loader_pnm.c could be used by attackers to execute code by supplying a handcrafted PNM image. CVE-2006-4808: A heap buffer overflow in loader_tga.c could potentially be used by attackers to execute code by supplying a handcrafted TGA image. CVE-2006-4807: A out of bounds memory read in loader_tga.c could be used to crash the imlib2 using application with a handcrafted TGA image. CVE-2006-4806: Various integer overflows in width*height calculations could lead to heap overflows which could potentially be used to execute code. Affected here are the ARGB, PNG, LBM, JPEG and TIFF loaders. Additionaly loading of TIFF images on 64bit systems is now possible. This update obsoletes the previous one, which had problems with JPEG loading. last seen 2020-06-01 modified 2020-06-02 plugin id 27271 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27271 title openSUSE 10 Security Update : imlib2-loaders (imlib2-loaders-2265) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-376-1.NASL description M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user last seen 2020-06-01 modified 2020-06-02 plugin id 27957 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27957 title Ubuntu 5.10 / 6.06 LTS / 6.10 : imlib2 vulnerabilities (USN-376-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200612-20.NASL description The remote host is affected by the vulnerability described in GLSA-200612-20 (imlib2: Multiple vulnerabilities) M. Joonas Pihlaja discovered several buffer overflows in loader_argb.c, loader_png.c, loader_lbm.c, loader_jpeg.c, loader_tiff.c, loader_tga.c, loader_pnm.c and an out-of-bounds memory read access in loader_tga.c. Impact : An attacker can entice a user to process a specially crafted JPG, ARGB, PNG, LBM, PNM, TIFF, or TGA image with an last seen 2020-06-01 modified 2020-06-02 plugin id 23957 published 2006-12-30 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23957 title GLSA-200612-20 : imlib2: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_IMLIB2-LOADERS-2244.NASL description Various security problems have been fixed in the imlib2 image loaders : CVE-2006-4809: A stack-based buffer overflow in loader_pnm.c could be used by attackers to execute code by supplying a handcrafted PNM image. CVE-2006-4808: A heap buffer overflow in loader_tga.c could potentially be used by attackers to execute code by supplying a handcrafted TGA image. CVE-2006-4807: A out of bounds memory read in loader_tga.c could be used to crash the imlib2 using application with a handcrafted TGA image. CVE-2006-4806: Various integer overflows in width*height calculations could lead to heap overflows which could potentially be used to execute code. Affected here are the ARGB, PNG, LBM, JPEG and TIFF loaders. Additionaly loading of TIFF images on 64bit systems is now possible. last seen 2020-06-01 modified 2020-06-02 plugin id 27270 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27270 title openSUSE 10 Security Update : imlib2-loaders (imlib2-loaders-2244) NASL family SuSE Local Security Checks NASL id SUSE_IMLIB2-LOADERS-2261.NASL description Various security problems have been fixed in the imlib2 image loaders : - A stack-based buffer overflow in loader_pnm.c could be used by attackers to execute code by supplying a handcrafted PNM image. (CVE-2006-4809) - A heap buffer overflow in loader_tga.c could potentially be used by attackers to execute code by supplying a handcrafted TGA image. (CVE-2006-4808) - A out of bounds memory read in loader_tga.c could be used to crash the imlib2 using application with a handcrafted TGA image. (CVE-2006-4807) - Various integer overflows in width*height calculations could lead to heap overflows which could potentially be used to execute code. Affected here are the ARGB, PNG, LBM, JPEG and TIFF loaders. (CVE-2006-4806) Additionally loading of TIFF images on 64bit systems now works. This obsoletes a previous update, which had broken JPEG loading. last seen 2020-06-01 modified 2020-06-02 plugin id 29464 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29464 title SuSE 10 Security Update : imlib2-loaders (ZYPP Patch Number 2261) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-198.NASL description M Joonas Pihlaja discovered several vulnerabilities in the Imlib2 graphics library. The load() function of several of the Imlib2 image loaders does not check the width and height of an image before allocating memory. As a result, a carefully crafted image file can trigger a segfault when an application using Imlib2 attempts to view the image. (CVE-2006-4806) The tga loader fails to bounds check input data to make sure the input data doesn last seen 2020-06-01 modified 2020-06-02 plugin id 24583 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24583 title Mandrake Linux Security Advisory : imlib2 (MDKSA-2006:198-1)
Statements
| contributor | Mark J Cox |
| lastmodified | 2006-11-22 |
| organization | Red Hat |
| statement | Not vulnerable. Red Hat Enterprise Linux 2.1, 3, and 4 do not include imlib2. |
References
- http://secunia.com/advisories/22732
- http://secunia.com/advisories/22744
- http://secunia.com/advisories/22752
- http://secunia.com/advisories/22932
- http://secunia.com/advisories/23441
- http://security.gentoo.org/glsa/glsa-200612-20.xml
- http://www.discontinuity.info/~rowan/pocs/libimlib2_pocs-1.2.0-2.2.tar.gz
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:198
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:156
- http://www.novell.com/linux/security/advisories/2006_26_sr.html
- http://www.osvdb.org/30104
- http://www.securityfocus.com/bid/20903
- http://www.ubuntu.com/usn/usn-376-1
- http://www.ubuntu.com/usn/usn-376-2
- http://www.vupen.com/english/advisories/2006/4349
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30070