#VU32296 Buffer overflow in imlib2 - CVE-2016-4024

Cybersecurity Help s.r.o.

Published: 2016-05-13 | Updated: 2020-07-28

Vulnerability identifier: #VU32296

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-4024

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
imlib2
Other software / Other software solutions

Vendor: Jakub Vrána

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Integer overflow in imlib2 before 1.4.9 on 32-bit platforms allows remote attackers to execute arbitrary code via large dimensions in an image, which triggers an out-of-bounds heap memory write operation.

Mitigation
Install update from vendor's website.

Vulnerable software versions

imlib2: 1.4.5 - 1.4.8

External links
https://lists.opensuse.org/opensuse-updates/2016-05/msg00076.html
https://www.debian.org/security/2016/dsa-3555
https://www.securityfocus.com/bid/86073
https://www.securitytracker.com/id/1035573
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=7eba2e4c8ac0e20838947f10f29d0efe1add8227
https://security.gentoo.org/glsa/201611-12
https://sourceforge.net/p/enlightenment/mailman/message/35055012/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora EPEL 7 update for imlib2

Gentoo update for imlib2

Buffer overflow in imlib2

Buffer overflow in imlib2 (Alpine package)

Fedora 23 update for imlib2

Fedora 22 update for imlib2

Fedora 24 update for imlib2