| Name | CVE-2004-0688 |
| Description | Multiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-560-1, DSA-561-1 |
| Debian Bugs | 308819 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| lesstif1-1 | source | woody | 0.93.18-5 | DSA-560-1 | ||
| lesstif1-1 | source | (unstable) | 1:0.93.94-10 | |||
| openmotif | source | (unstable) | 2.2.3-1.1 | low | 308819 | |
| xfree86 | source | woody | 4.1.0-16woody4 | DSA-561-1 | ||
| xfree86 | source | (unstable) | 4.3.0.dfsg.1-8 | |||
| xorg-x11 | source | (unstable) | (not affected) |
Matej Vela has checked that these are backported to lesstif1 as well
[sarge] - openmotif <no-dsa> (Non-free)
- xorg-x11 <not-affected> (Fixed before introduction into archive)