The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.

Trevor Johnson reported that the Red Hat Linux RPMs used by linux_base contained multiple older vulnerabilities, such as a DNS resolver issue and critical bugs in X font handling and XPM image handling.

New Qt packages are available for Slackware 9.0, 9.1, 10.0, and
-current to fix security issues. Bugs in the routines that handle PNG, BMP, GIF, and JPEG images may allow an attacker to cause unauthorized code to execute when a specially crafted image file is processed.
These flaws may also cause crashes that lead to a denial of service.

The remote host is missing Security Update 2005-005. This security
update contains security fixes for the following application :

- Apache
- AppKit
- AppleScript
- Bluetooth
- Directory Services
- Finder
- Foundation
- HelpViewer
- LDAP
- libXpm
- lukemftpd
- NetInfo
- ServerAdmin
- sudo
- Terminal
- VPN 

Updated XFree86 packages that fix several security issues in libXpm, as well as other bug fixes, are now available for Red Hat Enterprise Linux 2.1.

XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon.

During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the X.Org libXpm library used to decode XPM (X PixMap) images. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0692 to these issues.

These packages also contain a bug fix to lower the RGB output voltage on Dell servers using the ATI Radeon 7000m card.

Users are advised to upgrade to these erratum packages which contain backported patches to correct these issues.

Updated XFree86 packages that fix several security flaws in libXpm, as well as other bugs, are now available for Red Hat Enterprise Linux 3.

XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon.

During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the X.Org libXpm library used to decode XPM (X PixMap) images. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0692 to these issues.

A flaw was found in the X Display Manager (XDM). XDM is shipped with Red Hat Enterprise Linux, but is not used by default. XDM opened a chooserFd TCP socket even if the DisplayManager.requestPort parameter was set to 0. This allowed authorized users to access a machine remotely via X, even if the administrator had configured XDM to refuse such connections. Although XFree86 4.3.0 was not vulnerable to this issue, Red Hat Enterprise Linux 3 contained a backported patch which introduced this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0419 to this issue.

Users are advised to upgrade to these erratum packages, which contain backported security patches to correct these and a number of other issues.

Several vulnerabilities were discovered in recent versions of Qt, a commonly used graphic widget set, used in KDE for example. The first problem allows an attacker to execute arbitrary code, while the other two only seem to pose a denial of service danger. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities :

  - CAN-2004-0691 :
    Chris Evans has discovered a heap-based overflow when     handling 8-bit RLE encoded BMP files.

  - CAN-2004-0692 :

    Marcus Meissner has discovered a crash condition in the     XPM handling code, which is not yet fixed in Qt 3.3.

  - CAN-2004-0693 :

    Marcus Meissner has discovered a crash condition in the     GIF handling code, which is not yet fixed in Qt 3.3.

The remote host is affected by the vulnerability described in GLSA-200408-20 (Qt: Image loader overflows)

    There are several unspecified bugs in the QImage class which may cause     crashes or allow execution of arbitrary code as the user running the Qt     application. These bugs affect the PNG, XPM, BMP, GIF and JPEG image     types.
  Impact :

    An attacker may exploit these bugs by causing a user to open a     carefully-constructed image file in any one of these formats. This may     be accomplished through e-mail attachments (if the user uses KMail), or     by simply placing a malformed image on a website and then convicing the     user to load the site in a Qt-based browser (such as Konqueror).
  Workaround :

    There is no known workaround at this time. All users are encouraged to     upgrade to the latest available version of Qt.

Qt contains several vulnerabilities related to image loading, including possible crashes when loading corrupt GIF, BMP, or JPEG images. Most seriously, Chris Evans reports that the BMP crash is actually due to a heap buffer overflow. It is believed that an attacker may be able to construct a BMP image that could cause a Qt-using application to execute arbitrary code when it is loaded.

Chris Evans discovered a heap-based overflow in the QT library when handling 8-bit RLE encoded BMP files. This vulnerability could allow for the compromise of the account used to view or browse malicious BMP files. On subsequent investigation, it was also found that the handlers for XPM, GIF, and JPEG image types were also faulty.

These problems affect all applications that use QT to handle image files, such as QT-based image viewers, the Konqueror web browser, and others.

The updated packages have been patched to correct these problems.

Updated qt packages that fix security issues in several of the image decoders are now available.

Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System.

During a security audit, Chris Evans discovered a heap overflow in the BMP image decoder in Qt versions prior to 3.3.3. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with Qt to crash or possibly execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0691 to this issue.

Additionally, various flaws were discovered in the GIF, XPM, and JPEG decoders in Qt versions prior to 3.3.3. An attacker could create carefully crafted image files in such a way that it could cause an application linked against Qt to crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0692 and CVE-2004-0693 to these issues.

Users of Qt should update to these updated packages which contain backported patches and are not vulnerable to these issues.

The remote host is missing the patch for the advisory SUSE-SA:2004:027 (qt3/qt3-non-mt/qt3-32bit/qt3-static).


The QT-library is an environment for GUI-programming and is used in various well-known projects, like KDE.

There is a heap overflow in the BMP image format parser.  An attacker, exploiting this flaw, would need to be able to coerce a local user or program to process a specially crafted image file.  Upon successful exploitation, the attacker would be able to execute arbitrary code.

In addition, there are 2 distinct flaws within the XPM parser which, when exploited, lead to a Denial of Service (DoS).

The remote host is missing Security Update 2005-005. This security
update contains security fixes for the following application :

- Apache
- AppKit
- AppleScript
- Bluetooth
- Directory Services
- Finder
- Foundation
- HelpViewer
- LDAP
- libXpm
- lukemftpd
- NetInfo
- ServerAdmin
- sudo
- Terminal
- VPN

ID	Name	Product	Family	Severity
19106	FreeBSD : linux_base -- vulnerabilities in Red Hat 7.1 libraries (bf2e7483-d3fa-440d-8c6e-8f1f2f018818)	Nessus	FreeBSD Local Security Checks	critical
18767	Slackware 10.0 / 9.0 / 9.1 / current : Qt (SSA:2004-236-01)	Nessus	Slackware Local Security Checks	high
2878	Mac OS X Multiple Vulnerabilities (Security Update 2005-005)	Nessus Network Monitor	Web Clients	high
15440	RHEL 2.1 : XFree86 (RHSA-2004:479)	Nessus	Red Hat Local Security Checks	high
15426	RHEL 3 : XFree86 (RHSA-2004:478)	Nessus	Red Hat Local Security Checks	high
15379	Debian DSA-542-1 : qt - unsanitised input	Nessus	Debian Local Security Checks	high
14576	GLSA-200408-20 : Qt: Image loader overflows	Nessus	Gentoo Local Security Checks	high
14340	FreeBSD : qt -- image loader vulnerabilities (ebffe27a-f48c-11d8-9837-000c41e2cdad)	Nessus	FreeBSD Local Security Checks	high
14334	Mandrake Linux Security Advisory : qt3 (MDKSA-2004:085)	Nessus	Mandriva Local Security Checks	high
14326	RHEL 2.1 / 3 : qt (RHSA-2004:414)	Nessus	Red Hat Local Security Checks	high
14322	SUSE-SA:2004:027: qt3/qt3-non-mt/qt3-32bit/qt3-static	Nessus	SuSE Local Security Checks	high
800799	Mac OS X Multiple Vulnerabilities (Security Update 2005-005)	Log Correlation Engine	Operating System Detection	high

Detections

Analytics

CVE-2004-0692

medium

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high

high

high