Buffer overflow in xloadimage 4.1 (aka xli 1.16 and 1.17) in Linux allows remote attackers to execute arbitrary code via a FACES format image containing a long (1) Firstname or (2) Lastname field.

In 2001, zen-parse discovered a buffer overflow in xloadimage's FACES image loader. A maliciously crafted image could cause xloadimage to execute arbitrary code. A published exploit exists for this vulnerability.

In 2005, Rob Holland discovered that the same vulnerability was present in xli.

A number of vulnerabilities were discovered by Stefano Di Paola in the MySQL server :

If an authenticated user had INSERT privileges on the 'mysql' database, the CREATE FUNCTION command allowed that user to use libc functions to execute arbitrary code with the privileges of the user running the database server (mysql) (CVE-2005-0709).

If an authenticated user had INSERT privileges on the 'mysql' database, it was possible to load a library located in an arbitrary directory by using INSERT INTO mysql.func instead of CREATE FUNCTION.
This also would allow the user to execute arbitrary code with the privileges of the user running the database server (CVE-2005-0710).

Finally, temporary files belonging to tables created with CREATE TEMPORARY TABLE were handled in an insecure manner, allowing any local user to overwrite arbitrary files with the privileges of the database server (CVE-2005-0711).

The updated packages have been patched to correct these issues.

Several vulnerabilities have been discovered in xli, an image viewer for X11. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CAN-2001-0775     A buffer overflow in the decoder for FACES format images     could be exploited by an attacker to execute arbitrary     code. This problem has already been fixed in xloadimage     in DSA 069.

  - CAN-2005-0638

    Tavis Ormandy of the Gentoo Linux Security Audit Team     has reported a flaw in the handling of compressed     images, where shell meta-characters are not adequately     escaped.

  - CAN-2005-0639

    Insufficient validation of image properties in have been     discovered which could potentially result in buffer     management errors.

The remote host is affected by the vulnerability described in GLSA-200503-05 (xli, xloadimage: Multiple vulnerabilities)

    Tavis Ormandy of the Gentoo Linux Security Audit Team has reported that     xli and xloadimage contain a flaw in the handling of compressed images,     where shell meta-characters are not adequately escaped. Rob Holland of     the Gentoo Linux Security Audit Team has reported that an xloadimage     vulnerability in the handling of Faces Project images discovered by     zen-parse in 2001 remained unpatched in xli. Additionally, it has been     reported that insufficient validation of image properties in xli could     potentially result in buffer management errors.
  Impact :

    Successful exploitation would permit a remote attacker to execute     arbitrary shell commands, or arbitrary code with the privileges of the     xloadimage or xli user.
  Workaround :

    There is no known workaround at this time.

The version of xloadimage (a graphics files viewer for X) that was  shipped in Debian GNU/Linux 2.2 has a buffer overflow in the code  that handles FACES format images. This could be exploited by an  attacker by tricking someone into viewing a specially crafted image  using xloadimagewhich would allow them to execute arbitrary code.

This problem was fixed in version 4.1-5potato1.

A buffer overflow exists in xli due to missing boundary checks. This could be triggered by an external attacker to execute commands on the victim's machine. An exploit is publically available. xli is an image viewer that is used by Netscape's plugger to display TIFF, PNG, and Sun-Raster images.

Update :

The xloadimage package uses the same code as xli and is likewise vulnerable. An update is provided for xloadimage which was only provided with Linux-Mandrake 7.2.

ID	Name	Product	Family	Severity
19022	FreeBSD : xloadimage -- buffer overflow in FACES image handling (8c1da77d-d3e9-11d9-8ffb-00061bc2ad93)	Nessus	FreeBSD Local Security Checks	high
17601	Mandrake Linux Security Advisory : MySQL (MDKSA-2005:060)	Nessus	Mandriva Local Security Checks	high
17578	Debian DSA-695-1 : xli - buffer overflow, input sanitising, integer overflow	Nessus	Debian Local Security Checks	high
17261	GLSA-200503-05 : xli, xloadimage: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
14906	Debian DSA-069-1 : xloadimage - buffer overflow	Nessus	Debian Local Security Checks	high
13888	Mandrake Linux Security Advisory : xloadimage (MDKSA-2001:073-1)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2001-0775

critical

Tenable Plugins

high

high

high

high

high

high