X.Org Foundation Security Advisory For The X Window System 17 November 2004 - - - - - - - - - - - - - - - - - - - - - Brookline MA, November 17, 2004 - The X.Org Foundation today announced the release of a patch for the X Window System, which addresses the security vulnerability first announced on September 15, 2004, with the release of source patch CAN-2004-0687-0688.patch. X.Org was made aware of additional security vulnerability in libXpm, the X Pixmap library, which is shipped as part of the X Window System. The affected library is used in many popular application for image viewing and manipulation. This library was subject of recent security advisories (CAN-2004-0687 and CAN-2004-0688). 1. Affected versions All X.Org release up to and including R6.8.1 are vulnerable. Products like XFree86, lesstif and OpenMotif, which include libXpm are likely to be affected. 2. Description libXpm is a library for manipulating pixmaps used by the X Window System. After the release of the X11R6.8.1 security release, a more extensive security audit was made. Several integer overflows and out-of-bounds memory accesses have been identified and fixed, a path traversal has been fixed and shell command execution has been made more secure. This new fix also addresses possible endless loops and memory leaks. These vulnerabilities may allow an application linking against libXpm to crash, to become unusable, or to execute other code of a user running an application linked against libXpm. 3. CVE Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0914 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. You may check: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0914 4. Available Patch. A source patch is available for: X.Org Release 6.8.0 under: http://www.x.org/pub/X11R6.8.0/patches/xorg-680-CAN-2004-0914.patch and X.Org Release 6.8.1 under: http://www.x.org/pub/X11R6.8.1/patches/xorg-681-CAN-2004-0914.patch and from X.Org mirror sites world-wide. 5. Acknowledgments The X.Org Foundation would like to thank Petr Mladek for identifying the vulnerabilities and providing a patch, and Thomas Biege for systematically reviewing the libXpm code and fixing additional possible vulnerabilities. The X.Org Foundation would also thank Matthieu Herrb and Jacques A. Vidrine for their help in auditing the code, reviewing the patch and suggesting additional fixes.