Netpbm: User-assisted arbitrary code execution — GLSA 201311-08

A vulnerability in Netpbm could result in execution of arbitrary code or Denial of Service.

Affected packages

media-libs/netpbm on all architectures
Affected versions < 10.49.00
Unaffected versions >= 10.49.00

Background

Netpbm is a toolkit for manipulation of graphic images, including conversion of images between a variety of different formats.

Description

A stack-based buffer overflow exists in converter/ppm/xpmtoppm.c in Netpbm.

Impact

A remote attacker could entice a user to open a specially crafted XMP file using Netpbm, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Netpbm users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/netpbm-10.49.00"
 

Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages.

References

Release date
November 13, 2013

Latest revision
November 13, 2013: 1

Severity
normal

Exploitable
remote

Bugzilla entries