CVE-2016-10164 - Multiple integer overflows in libXpm before 3.5.12, when a program requests parsing XPM extensions o

CVE-2016-10164

Summary

Multiple integer overflows in libXpm before 3.5.12, when a program requests parsing XPM extensions on a 64-bit platform, allow remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via (1) the number of extensions or (2) their concatenated length in a crafted XPM file, which triggers a heap-based buffer overflow.

References

Vulnerable Configurations

cpe:2.3:a:x.org:libxpm:-:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:-:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.5:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.5:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.6:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.6:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.7:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.7:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.8:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.8:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.9:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.9:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.10:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.10:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.11:*:*:*:*:*:*:*
cpe:2.3:a:x.org:libxpm:3.5.11:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 17-10-2023 - 15:55)
Impact:
Exploitability:

CWE

CWE-190

CAPEC

Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

redhat via4

advisories

rhsa

id	RHSA-2017:1865

rpms

drm-utils-0:2.4.74-1.el7
libICE-0:1.0.9-9.el7
libICE-debuginfo-0:1.0.9-9.el7
libICE-devel-0:1.0.9-9.el7
libX11-0:1.6.5-1.el7
libX11-common-0:1.6.5-1.el7
libX11-debuginfo-0:1.6.5-1.el7
libX11-devel-0:1.6.5-1.el7
libXaw-0:1.0.13-4.el7
libXaw-debuginfo-0:1.0.13-4.el7
libXaw-devel-0:1.0.13-4.el7
libXcursor-0:1.1.14-8.el7
libXcursor-debuginfo-0:1.1.14-8.el7
libXcursor-devel-0:1.1.14-8.el7
libXdmcp-0:1.1.2-6.el7
libXdmcp-debuginfo-0:1.1.2-6.el7
libXdmcp-devel-0:1.1.2-6.el7
libXfixes-0:5.0.3-1.el7
libXfixes-debuginfo-0:5.0.3-1.el7
libXfixes-devel-0:5.0.3-1.el7
libXfont-0:1.5.2-1.el7
libXfont-debuginfo-0:1.5.2-1.el7
libXfont-devel-0:1.5.2-1.el7
libXfont2-0:2.0.1-2.el7
libXfont2-debuginfo-0:2.0.1-2.el7
libXfont2-devel-0:2.0.1-2.el7
libXi-0:1.7.9-1.el7
libXi-debuginfo-0:1.7.9-1.el7
libXi-devel-0:1.7.9-1.el7
libXpm-0:3.5.12-1.el7
libXpm-debuginfo-0:3.5.12-1.el7
libXpm-devel-0:3.5.12-1.el7
libXrandr-0:1.5.1-2.el7
libXrandr-debuginfo-0:1.5.1-2.el7
libXrandr-devel-0:1.5.1-2.el7
libXrender-0:0.9.10-1.el7
libXrender-debuginfo-0:0.9.10-1.el7
libXrender-devel-0:0.9.10-1.el7
libXt-0:1.1.5-3.el7
libXt-debuginfo-0:1.1.5-3.el7
libXt-devel-0:1.1.5-3.el7
libXtst-0:1.2.3-1.el7
libXtst-debuginfo-0:1.2.3-1.el7
libXtst-devel-0:1.2.3-1.el7
libXv-0:1.0.11-1.el7
libXv-debuginfo-0:1.0.11-1.el7
libXv-devel-0:1.0.11-1.el7
libXvMC-0:1.0.10-1.el7
libXvMC-debuginfo-0:1.0.10-1.el7
libXvMC-devel-0:1.0.10-1.el7
libXxf86vm-0:1.1.4-1.el7
libXxf86vm-debuginfo-0:1.1.4-1.el7
libXxf86vm-devel-0:1.1.4-1.el7
libdrm-0:2.4.74-1.el7
libdrm-debuginfo-0:2.4.74-1.el7
libdrm-devel-0:2.4.74-1.el7
libepoxy-0:1.3.1-1.el7
libepoxy-debuginfo-0:1.3.1-1.el7
libepoxy-devel-0:1.3.1-1.el7
libevdev-0:1.5.6-1.el7
libevdev-debuginfo-0:1.5.6-1.el7
libevdev-devel-0:1.5.6-1.el7
libevdev-utils-0:1.5.6-1.el7
libfontenc-0:1.1.3-3.el7
libfontenc-debuginfo-0:1.1.3-3.el7
libfontenc-devel-0:1.1.3-3.el7
libinput-0:1.6.3-2.el7
libinput-debuginfo-0:1.6.3-2.el7
libinput-devel-0:1.6.3-2.el7
libvdpau-0:1.1.1-3.el7
libvdpau-debuginfo-0:1.1.1-3.el7
libvdpau-devel-0:1.1.1-3.el7
libvdpau-docs-0:1.1.1-3.el7
libwacom-0:0.24-1.el7
libwacom-data-0:0.24-1.el7
libwacom-debuginfo-0:0.24-1.el7
libwacom-devel-0:0.24-1.el7
libxcb-0:1.12-1.el7
libxcb-debuginfo-0:1.12-1.el7
libxcb-devel-0:1.12-1.el7
libxcb-doc-0:1.12-1.el7
libxkbcommon-0:0.7.1-1.el7
libxkbcommon-debuginfo-0:0.7.1-1.el7
libxkbcommon-devel-0:0.7.1-1.el7
libxkbcommon-x11-0:0.7.1-1.el7
libxkbcommon-x11-devel-0:0.7.1-1.el7
libxkbfile-0:1.0.9-3.el7
libxkbfile-debuginfo-0:1.0.9-3.el7
libxkbfile-devel-0:1.0.9-3.el7
mesa-debuginfo-0:17.0.1-6.20170307.el7
mesa-dri-drivers-0:17.0.1-6.20170307.el7
mesa-filesystem-0:17.0.1-6.20170307.el7
mesa-libEGL-0:17.0.1-6.20170307.el7
mesa-libEGL-devel-0:17.0.1-6.20170307.el7
mesa-libGL-0:17.0.1-6.20170307.el7
mesa-libGL-devel-0:17.0.1-6.20170307.el7
mesa-libGLES-0:17.0.1-6.20170307.el7
mesa-libGLES-devel-0:17.0.1-6.20170307.el7
mesa-libOSMesa-0:17.0.1-6.20170307.el7
mesa-libOSMesa-devel-0:17.0.1-6.20170307.el7
mesa-libgbm-0:17.0.1-6.20170307.el7
mesa-libgbm-devel-0:17.0.1-6.20170307.el7
mesa-libglapi-0:17.0.1-6.20170307.el7
mesa-libxatracker-0:17.0.1-6.20170307.el7
mesa-libxatracker-devel-0:17.0.1-6.20170307.el7
mesa-private-llvm-0:3.9.1-3.el7
mesa-private-llvm-debuginfo-0:3.9.1-3.el7
mesa-private-llvm-devel-0:3.9.1-3.el7
mesa-vulkan-drivers-0:17.0.1-6.20170307.el7
vulkan-0:1.0.39.1-2.el7
vulkan-debuginfo-0:1.0.39.1-2.el7
vulkan-devel-0:1.0.39.1-2.el7
vulkan-filesystem-0:1.0.39.1-2.el7
xcb-proto-0:1.12-2.el7
xkeyboard-config-0:2.20-1.el7
xkeyboard-config-devel-0:2.20-1.el7
xorg-x11-proto-devel-0:7.7-20.el7

refmap via4

bid	95785
confirm	https://cgit.freedesktop.org/xorg/lib/libXpm/commit/?id=d1167418f0fd02a27f617ec5afd6db053afbe185
debian	DSA-3772
gentoo	GLSA-201701-72
mlist	[oss-security] 20170122 CVE Request: libXpm < 3.5.12 heap overflow [oss-security] 20170125 Re: CVE Request: libXpm < 3.5.12 heap overflow [xorg] 20161215 [ANNOUNCE] libXpm 3.5.12

Last major update

17-10-2023 - 15:55

Published

01-02-2017 - 15:59

Last modified

17-10-2023 - 15:55