#VU32293 Buffer overflow in imlib2 - CVE-2016-3994

Cybersecurity Help s.r.o.

Published: 2016-05-13 | Updated: 2020-07-28

Vulnerability identifier: #VU32293

Vulnerability risk: High

CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-3994

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
imlib2
Other software / Other software solutions

Vendor: Jakub Vrána

Description

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

The GIF loader in imlib2 before 1.4.9 allows remote attackers to cause a denial of service (application crash) or obtain sensitive information via a crafted image, which triggers an out-of-bounds read.

Mitigation
Install update from vendor's website.

Vulnerable software versions

imlib2: 1.4.5 - 1.4.8

External links
https://lists.opensuse.org/opensuse-updates/2016-05/msg00076.html
https://www.debian.org/security/2016/dsa-3555
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785369
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8
https://sourceforge.net/p/enlightenment/mailman/message/35055012/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora EPEL 7 update for imlib2

Buffer overflow in imlib2 (Alpine package)

Buffer overflow in imlib2

Fedora 22 update for imlib2

Fedora 24 update for imlib2

Fedora 22 update for imlib2

Fedora 23 update for imlib2