libxpm: Changes to 'debian-wheezy'
New branch 'debian-wheezy' available with the following commits:
commit b6d4351808219ac8485ed2337ad60ac0a6ef4331
Author: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Wed Jan 25 18:14:47 2017 +0100
Release to wheezy-security
commit be426a11b9a34235ea5d8825a44a22f5fefedf2a
Author: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Wed Jan 25 18:14:27 2017 +0100
Document cherry-pick
commit 71584b5e2c64b481a61fde2035fdf69706db3c94
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu Dec 8 17:07:55 2016 +0100
Avoid OOB write when handling malicious XPM files.
libXpm uses unsigned int to store sizes, which fits size_t on 32 bit
systems, but leads to issues on 64 bit systems.
On 64 bit systems, it is possible to overflow 32 bit integers while
parsing XPM extensions in a file.
At first, it looks like a rather unimportant detail, because nobody
will seriously open a 4 GB file. But unfortunately XPM has support for
gzip compression out of the box. An attacker can therefore craft a
compressed file which is merely 4 MB in size, which makes an attack
much for feasable.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reply to: