Package: xli
Version: 1.17.0-16 (not installed)
Severity: grave
Justification: user security hole
[Cc:ing security, as Woody should be affected as well]
Multiple security problems in xli have been found by the Gentoo Security folks:
1. Shell meta characters are inaccurately escaped in compressed images
2. A buffer overflow in "Faces Project images" parsing allows execution of
arbitrary code.
3. Insufficient validation of image properties in xli could potentially result
in buffer management errors (no further information given wrt the impact of
this vulnerability)
Fixes: All problems have been fixed in the latest xli (which doesn't have
overly many differences to the version in sid):
>Sun Feb 27 15:16:08 PST 2005
>
>Fix a security problem in the faces loader, a security problem when
>opening compressed files, and check for integer overflows in image data
>size calculations.
Note: There does only seem to be a CAN assignment for the faces overflow,
(CAN-2001-0775), not for the remaining issues. Could anyone from the
security team please request one?
Cheers,
Moritz
--
Moritz Muehlenhoff [EMAIL PROTECTED] fon: +49 421 22 232- 0
Development Linux for Your Business fax: +49 421 22 232-99
Univention GmbH http://www.univention.de/ mobil: +49 175 22 999 23
-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
