New Set Of Linux Security Flaws Unveiled

KingFishKingFish
edited December 2004 in Science & Tech
A security researcher has uncovered yet another set of security flaws in an image component, which could put Linux users at risk of system compromise if they view a maliciously crafted image.
The bugs, in the imlib image library found in most Linux systems, haven't been patched by the library's developer, but Linux vendors are currently rushing out patches. So far Gentoo, Suse and others have released fixes.

Researcher Pavel Kankovsky found that several integer overflows in image decoding routines could be exploited to cause buffer overflows and potentially execute malicious code on a user's system, according to advisories from Suse, Gentoo and independent security firm Secunia. The bugs can be exploited by tricking a user into viewing a specially crafted image in one of the many applications linked to imlib.

Imlib is one of the most popular image manipulation and rendering libraries available, according to open source developers, and was the rendering engine for the Gnome user interface until the release of Gnome 2.0.

In September a similar bug affected both imlib 1.x and imlib2 1.x. Other imaging-related components, in Linux, Windows and other platforms, have been hit by bugs this year. One of the most serious was a JPEG-rendering flaw in Windows, which was patched in mid-September. A few days later attackers began exploiting the flaw with pornographic images posted to Usenet news groups.
Source: TechWorld

Comments

  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited December 2004
    .jpeg, .jpg, .png, and some types of .tif were affected. I think ImgLib also was affected (that is what I have been seeing in security vuln co-ord docs). This is a base graphics parsing problem set shared by most things that use .jpg and some that use .png. This is not a Linux only flaw set in its entirety, by any means. Just think that needs clarifying. ImLib is indeed the Gnome graphics parser for some versions of Gnome and some Gnome-code-reliant desktops, but not all Linux boxes even use it or not always use it. I run KDE and it uses a different base lib for image manipulation (that is where the im part of imlib's name came from, and imlib is not meaning instant messaging library). That lib was ALSO patched, but before this vuln was.
Sign In or Register to comment.