Vulnerability Details : CVE-2008-5187
The load function in the XPM loader for imlib2 1.4.2, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XPM file that triggers a "pointer arithmetic error" and a heap-based buffer overflow, a different vulnerability than CVE-2008-2426.
Vulnerability category: OverflowExecute codeDenial of service
Products affected by CVE-2008-5187
- cpe:2.3:a:enlightenment:imlib2:1.4.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-5187
1.89%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-5187
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2008-5187
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2008-5187
-
Red Hat 2008-11-21Not vulnerable. This issue does not affect the versions of imlib as shipped with Red Hat Enterprise Linux 2.1, 3, or 4.
References for CVE-2008-5187
-
http://www.vupen.com/english/advisories/2008/3212
Site en construction
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15
#505714 - Crash on loading XPM file - Debian Bug report logs
-
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00856.html
[SECURITY] Fedora 9 Update: imlib2-1.4.2-2.fc9
-
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00858.html
[SECURITY] Fedora 8 Update: imlib2-1.4.2-2.fc8
-
http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00004.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:002 - openSUSE Security Announce - openSUSE Mailing Lists
-
http://security.gentoo.org/glsa/glsa-200812-23.xml
Imlib2: User-assisted execution of arbitrary code (GLSA 200812-23) — Gentoo security
-
http://www.openwall.com/lists/oss-security/2008/11/20/5
oss-security - CVE Request: imlib2
-
http://www.debian.org/security/2008/dsa-1672
[SECURITY] [DSA 1672-1] New imlib2 packages fix arbitrary code execution
-
http://www.ubuntu.com/usn/USN-683-1
USN-683-1: Imlib2 vulnerability | Ubuntu security notices | Ubuntu
-
http://www.securityfocus.com/bid/32371
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:019
Mandriva
Jump to