CVE-2016-4024

Name	CVE-2016-4024
Description	Integer overflow in imlib2 before 1.4.9 on 32-bit platforms allows remote attackers to execute arbitrary code via large dimensions in an image, which triggers an out-of-bounds heap memory write operation.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DSA-3555-1
NVD severity	high (attack range: remote)
Debian Bugs	821732

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
imlib2 (PTS)	jessie (security), jessie	1.4.6-2+deb8u2	fixed
	stretch	1.4.8-1	fixed
	buster, sid	1.5.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
imlib2	source	(unstable)	1.4.8-1	high		821732
imlib2	source	jessie	1.4.6-2+deb8u2	high	DSA-3555-1
imlib2	source	wheezy	1.4.5-1+deb7u2	high	DSA-3555-1

Notes

Upstream fix: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=7eba2e4c8ac0e20838947f10f29d0efe1add8227
http://www.openwall.com/lists/oss-security/2016/04/14/5