CVE-2004-0688

NameCVE-2004-0688
DescriptionMultiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-560-1, DSA-561-1
NVD severityhigh
Debian Bugs308819

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lesstif1-1source(unstable)1:0.93.94-10
lesstif1-1sourcewoody0.93.18-5DSA-560-1
openmotifsource(unstable)2.2.3-1.1low308819
xfree86source(unstable)4.3.0.dfsg.1-8
xfree86sourcewoody4.1.0-16woody4DSA-561-1
xorg-x11source(unstable)(not affected)

Notes

Matej Vela has checked that these are backported to lesstif1 as well
[sarge] - openmotif <no-dsa> (Non-free)
- xorg-x11 <not-affected> (Fixed before introduction into archive)
Search for package or bug name: Reporting problems