J-Security Center

Title: xloadimage Buffer Overflow Vulnerability

Severity: HIGH

Description:

xloadimage is a utility used for displaying images of varying formats on X11 servers.

xloadimage and possibly derivatives such as 'xli' contain a buffer overflow vulnerability in the handling of the 'Faces Project' image type. During processing of the image file, the "Firstname" and "Lastname" fields are copied into local variables. This is done via strcpy(), which performs no bounds checking.

It is possible to create a file according to the 'Faces Project' file format specifications containing 'Firstname' and 'Lastname' fields that are larger than the buffers allocated to store them. When they are copied via strcpy(), the excessive data will overwrite neighboring memory on the stack. The function stack frame in xloadimage is overwritten and can be corrupted so that the function returns to shellcode. xloadimage is not setuid however, so locally this condition is not a vulnerability.

An optional netscape plugin shipped with Red Hat powertools invokes xloadimage to load certain image types. If this plugin is in use, this vulnerability may be remotely exploitable if an attacker places the exploit-file on a webserver.

S.u.S.E. Linux also ships with plugger, which invokes a derivative of xloadimage called 'xli'. 'xli' is also vulnerable.

Affected Products:

  • Debian Linux 3.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • Debian Linux 3.1.0
  • Debian Linux 3.1.0 alpha
  • Debian Linux 3.1.0 amd64
  • Debian Linux 3.1.0 arm
  • Debian Linux 3.1.0 hppa
  • Debian Linux 3.1.0 ia-32
  • Debian Linux 3.1.0 ia-64
  • Debian Linux 3.1.0 m68k
  • Debian Linux 3.1.0 mips
  • Debian Linux 3.1.0 mipsel
  • Debian Linux 3.1.0 ppc
  • Debian Linux 3.1.0 s/390
  • Debian Linux 3.1.0 sparc
  • Gentoo Linux
  • MandrakeSoft Corporate Server 2.1.0
  • MandrakeSoft Corporate Server 2.1.0 x86_64
  • MandrakeSoft Corporate Server 3.0.0
  • MandrakeSoft Corporate Server 3.0.0 x86_64
  • MandrakeSoft Linux Mandrake 10.0.0
  • MandrakeSoft Linux Mandrake 10.0.0 amd64
  • MandrakeSoft Linux Mandrake 10.1.0
  • MandrakeSoft Linux Mandrake 10.1.0 x86_64
  • MandrakeSoft Linux Mandrake 10.2.0
  • MandrakeSoft Linux Mandrake 10.2.0 x86_64
  • S.u.S.E. Linux 6.3.0
  • S.u.S.E. Linux 6.4.0
  • S.u.S.E. Linux 7.0.0
  • S.u.S.E. Linux 7.1.0
  • S.u.S.E. Linux 7.2.0
  • Turbolinux Home
  • Turbolinux Turbolinux Desktop 10.0.0
  • Turbolinux Turbolinux Server 10.0.0
  • Turbolinux Turbolinux Server 7.0.0
  • Turbolinux Turbolinux Server 8.0.0
  • Turbolinux Turbolinux Workstation 7.0.0
  • Turbolinux Turbolinux Workstation 8.0.0
  • xli xli 1.16.0
  • xli xli 1.17.0
  • xloadimage xloadimage 4.1.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.