CVE-2004-0688

NameCVE-2004-0688
DescriptionMultiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-560-1, DSA-561-1
NVD severityhigh (attack range: remote)
Debian Bugs308819

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lesstif1-1source(unstable)1:0.93.94-10high
lesstif1-1sourcewoody0.93.18-5highDSA-560-1
openmotifsource(unstable)2.2.3-1.1low308819
xfree86source(unstable)4.3.0.dfsg.1-8high
xfree86sourcewoody4.1.0-16woody4highDSA-561-1
xorg-x11source(unstable)(not affected)

Notes

Matej Vela has checked that these are backported to lesstif1 as well
[sarge] - openmotif <no-dsa> (Non-free)
- xorg-x11 <not-affected> (Fixed before introduction into archive)
Search for package or bug name: Reporting problems