CERTVU:537878libXpm library contains multiple integer overflow vulnerabilities
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.348 Low
EPSS
Percentile
97.1%
Overview
libXpm contains multiple integer overflow vulnerabilities that may allow an attacker to cause a denial-of-service condition or execute arbitrary code.
Description
XPM is a format for encoding and decoding X PixMap images that is used in the X Windows System 11 (X11). libXpm is a library of functions used to manipulate XPM images. Multiple libXpmroutines contain integer overflow vulnerabilities including, but not necessarily limited to, the following functions:
* `xpmParseColors `
* `XpmCreateImageFromXpmImage`
* `CreateXImage`
* `ParsePixels`
* `ParseAndPutPixels`
* `ParsePixels`
These issues are the result of insufficient validation of user-supplied data. Consequently, an attacker may be able to exploit these vulnerabilities by supplying an application using libXpm with a specially crafted XPM image. Applications that receive input from remote sources may be remotely exploitable.
Any program that uses the libXpm library may be affected by this issue. Users are encouraged to contact their vendors to determine if they are vulnerable.
Impact
Specific impacts depend on the application and libXpm routine being attacked. Potential consequences range from abrupt and abnormal program termination to the execution of arbitrary code with the privileges of the compromised program.
Solution
Apply a Patch for X11 Version 6.8.0
The X.org Foundation has released a patch to address this issue in version 6.8.0. In addition, several vendors of relevant or derived implementations have released patches to address this vulnerability; please contact those vendors for further details.
Upgrade X11
This issue has been fixed in X11 version 6.8.1.
Vendor Information
537878
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Debian __ Affected
Notified: September 23, 2004 Updated: October 11, 2004
Status
Affected
Vendor Statement
The Debian operating system is vulnerable to this problem. Fixed packageshave been prepared.
For the stable distribution (woody) this problem has been fixed in version 0.93.18-5 of lesstif1-1.
For the unstable distribution (sid) this problem has been fixed in version 0.93.94-10 of lesstif1-1.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
FreeBSD __ Affected
Notified: September 23, 2004 Updated: October 11, 2004
Status
Affected
Vendor Statement
The XPM vulnerabilities affected some applications in the FreeBSD Ports Collection. Details may be found at
<http://vuxml.freebsd.org/ef253f8b-0727-11d9-b45d-000c41e2cdad.html>.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Hewlett-Packard Company __ Affected
Notified: September 23, 2004 Updated: October 06, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see:
<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=PSD_HPSBTU01228>
for patch information for Hewlett Packard systems.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
SuSE Inc. __ Affected
Notified: September 23, 2004 Updated: October 11, 2004
Status
Affected
Vendor Statement
Suse has already released our updates for libXpm.
<http://www.suse.de/de/security/2004_34_xfree86_libs_xshared.html>
Customers can update their systems by using theYaST Online Update (YOU) tool or installing the RPM file directly from
<http://www.suse.de/en/private/download/updates/index.html>.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Apple Computer Inc. Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
BSDI Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Connectiva Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Cray Inc. Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
EMC Corporation Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Engarde Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
F5 Networks Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Fujitsu Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Gentoo Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Hitachi Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
IBM Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
IBM eServer Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
IBM-zSeries Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Immunix Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Ingrian Networks Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Juniper Networks Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
MandrakeSoft Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
MontaVista Software Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
NEC Corporation Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
NETBSD Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Nokia Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Novell Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
OpenBSD Unknown
Updated: September 27, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Openwall GNU/*/Linux Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Red Hat Inc. Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
SCO Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
SGI Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Sequent Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Sony Corporation Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Sun Microsystems Inc. Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
TurboLinux Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Unisys Unknown
Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
Wind River Systems Inc. Unknown
Notified: September 23, 2004 Updated: October 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
X Consortium Unknown
Updated: September 20, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
X11 Unknown
Updated: September 30, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23537878 Feedback>).
View all 39 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://scary.beasts.org/security/CESA-2004-003.txt>
- <http://secunia.com/advisories/12549/>
- <http://www.securitytracker.com/alerts/2004/Sep/1011324.html>
- <http://www.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch>
Acknowledgements
This vulnerability was publicly reported by Chris Evans.
This document was written by Jeffrey Gennari.
Other Information
| CVE IDs: | CVE-2004-0688 |
|---|---|
| Severity Metric: | 2.82 Date Public: |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.348 Low
EPSS
Percentile
97.1%