xloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command.

A new xloadimage package that fixes bugs in handling malformed tiff and pbm/pnm/ppm images, and in handling metacharacters in filenames is now available.

This update has been rated as having low security impact by the Red Hat Security Response Team.

The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file.
Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM).

A flaw was discovered in xloadimage where filenames were not properly quoted when calling the gunzip command. An attacker could create a file with a carefully crafted filename so that it would execute arbitrary commands if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0638 to this issue.

Another bug in xloadimage would cause it to crash if called with certain invalid TIFF, PNM, PBM, or PPM file names.

All users of xloadimage should upgrade to this erratum package which contains backported patches to correct these issues.

This update fixes CVE-2005-0638, a problem in the parsing of shell metacharacters in filenames. It also fixes bugs in handling of malformed TIFF and PBM/PNM/PPM issues.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Tavis Ormandy discovered that xli and xloadimage attempt to decompress images by piping them through gunzip or similar decompression tools.
Unfortunately, the unsanitized file name is included as part of the command. This is dangerous, as in some situations, such as mailcap processing, an attacker may control the input file name. As a result, an attacker may be able to cause arbitrary command execution.

A number of vulnerabilities have been found in the xli image viewer.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a flaw in the handling of compressed images where shell meta-characters are not properly escaped (CVE-2005-0638). It was also found that insufficient validation of image properties could potentially result in buffer management errors (CVE-2005-0639).

The updated packages have been patched to correct these problems.

The remote Redhat Enterprise Linux 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2005:332 advisory.

    The xloadimage utility displays images in an X Window System window,     loads images into the root window, or writes images into a file.
    Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM,     and XBM).

    A flaw was discovered in xloadimage where filenames were not properly     quoted when calling the gunzip command.  An attacker could create a file     with a carefully crafted filename so that it would execute arbitrary     commands if opened by a victim.  The Common Vulnerabilities and     Exposures project (cve.mitre.org) has assigned the name CAN-2005-0638 to     this issue.

    Another bug in xloadimage would cause it to crash if called with certain     invalid TIFF, PNM, PBM, or PPM file names.

    All users of xloadimage should upgrade to this erratum package which     contains backported patches to correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A number of vulnerabilities were discovered by Stefano Di Paola in the MySQL server :

If an authenticated user had INSERT privileges on the 'mysql' database, the CREATE FUNCTION command allowed that user to use libc functions to execute arbitrary code with the privileges of the user running the database server (mysql) (CVE-2005-0709).

If an authenticated user had INSERT privileges on the 'mysql' database, it was possible to load a library located in an arbitrary directory by using INSERT INTO mysql.func instead of CREATE FUNCTION.
This also would allow the user to execute arbitrary code with the privileges of the user running the database server (CVE-2005-0710).

Finally, temporary files belonging to tables created with CREATE TEMPORARY TABLE were handled in an insecure manner, allowing any local user to overwrite arbitrary files with the privileges of the database server (CVE-2005-0711).

The updated packages have been patched to correct these issues.

Several vulnerabilities have been discovered in xli, an image viewer for X11. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CAN-2001-0775     A buffer overflow in the decoder for FACES format images     could be exploited by an attacker to execute arbitrary     code. This problem has already been fixed in xloadimage     in DSA 069.

  - CAN-2005-0638

    Tavis Ormandy of the Gentoo Linux Security Audit Team     has reported a flaw in the handling of compressed     images, where shell meta-characters are not adequately     escaped.

  - CAN-2005-0639

    Insufficient validation of image properties in have been     discovered which could potentially result in buffer     management errors.

Several vulnerabilities have been discovered in xloadimage, an image viewer for X11. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CAN-2005-0638     Tavis Ormandy of the Gentoo Linux Security Audit Team     has reported a flaw in the handling of compressed     images, where shell meta-characters are not adequately     escaped.

  - CAN-2005-0639

    Insufficient validation of image properties have been     discovered which could potentially result in buffer     management errors.

The remote host is affected by the vulnerability described in GLSA-200503-05 (xli, xloadimage: Multiple vulnerabilities)

    Tavis Ormandy of the Gentoo Linux Security Audit Team has reported that     xli and xloadimage contain a flaw in the handling of compressed images,     where shell meta-characters are not adequately escaped. Rob Holland of     the Gentoo Linux Security Audit Team has reported that an xloadimage     vulnerability in the handling of Faces Project images discovered by     zen-parse in 2001 remained unpatched in xli. Additionally, it has been     reported that insufficient validation of image properties in xli could     potentially result in buffer management errors.
  Impact :

    Successful exploitation would permit a remote attacker to execute     arbitrary shell commands, or arbitrary code with the privileges of the     xloadimage or xli user.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
67025	CentOS 3 : xloadimage (CESA-2005:332-01)	Nessus	CentOS Local Security Checks	high
21924	CentOS 3 / 4 : xloadimage (CESA-2005:332)	Nessus	CentOS Local Security Checks	high
19629	Fedora Core 3 : xloadimage-4.1-34.FC3 (2005-237)	Nessus	Fedora Local Security Checks	high
18892	FreeBSD : xloadimage -- arbitrary command execution when handling compressed files (310d0087-0fde-4929-a41f-96f17c5adffe)	Nessus	FreeBSD Local Security Checks	high
18317	Fedora Core 2 : xloadimage-4.1-34.FC2 (2005-236)	Nessus	Fedora Local Security Checks	high
18106	Mandrake Linux Security Advisory : xli (MDKSA-2005:076)	Nessus	Mandriva Local Security Checks	high
18093	RHEL 4 : xloadimage (RHSA-2005:332)	Nessus	Red Hat Local Security Checks	critical
17601	Mandrake Linux Security Advisory : MySQL (MDKSA-2005:060)	Nessus	Mandriva Local Security Checks	high
17578	Debian DSA-695-1 : xli - buffer overflow, input sanitising, integer overflow	Nessus	Debian Local Security Checks	high
17577	Debian DSA-694-1 : xloadimage - missing input sanitising, integer overflow	Nessus	Debian Local Security Checks	high
17261	GLSA-200503-05 : xli, xloadimage: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2005-0638

critical

Tenable Plugins

high

high

high

high

high

high

critical

high

high

high

high