National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2004-0914 Detail

Current Description

Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFree86 and other packages, include (1) multiple integer overflows, (2) out-of-bounds memory accesses, (3) directory traversal, (4) shell metacharacter, (5) endless loops, and (6) memory leaks, which could allow remote attackers to obtain sensitive information, cause a denial of service (application crash), or execute arbitrary code via a certain XPM image file. NOTE: it is highly likely that this candidate will be SPLIT into other candidates in the future, per CVE's content decisions.

Source:  MITRE      Last Modified:  01/10/2005      View Analysis Description

Quick Info

CVE Dictionary Entry:
CVE-2004-0914
Original release date:
01/10/2005
Last revised:
10/10/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
10.0 HIGH
Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore:
10.0
Exploitability Subscore:
10.0
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Low
Authentication:
Not required to exploit
Impact Type:
Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

Vendor Statements (disclaimer)

Official Statement from Red Hat (03/14/2007)

Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://rhn.redhat.com/errata/RHSA-2004-537.html External Source REDHAT RHSA-2004:537
http://www.debian.org/security/2004/dsa-607 Patch; Vendor Advisory External Source DEBIAN DSA-607
http://www.gentoo.org/security/en/glsa/glsa-200411-28.xml Patch; Vendor Advisory External Source GENTOO GLSA-200411-28
http://www.gentoo.org/security/en/glsa/glsa-200502-06.xml External Source GENTOO GLSA-200502-06
http://www.gentoo.org/security/en/glsa/glsa-200502-07.xml External Source GENTOO GLSA-200502-07
http://www.linuxsecurity.com/content/view/106877/102/ External Source FEDORA FEDORA-2004-433
http://www.mandriva.com/security/advisories?name=MDKSA-2004:137 External Source MANDRAKE MDKSA-2004:137
http://www.redhat.com/archives/fedora-legacy-announce/2006-January/msg00001.html External Source FEDORA FLSA-2006:152803
http://www.redhat.com/support/errata/RHSA-2004-610.html External Source REDHAT RHSA-2004:610
http://www.redhat.com/support/errata/RHSA-2005-004.html External Source REDHAT RHSA-2005:004
http://www.securityfocus.com/bid/11694 Patch; Vendor Advisory External Source BID 11694
http://www.ubuntu.com/usn/usn-83-1 External Source UBUNTU USN-83-1
http://www.ubuntu.com/usn/usn-83-2 External Source UBUNTU USN-83-2
http://www.x.org/pub/X11R6.8.1/patches/README.xorg-681-CAN-2004-0914.patch External Source CONFIRM http://www.x.org/pub/X11R6.8.1/patches/README.xorg-681-CAN-2004-0914.patch
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01228 External Source HP HPSBTU01228
https://exchange.xforce.ibmcloud.com/vulnerabilities/18142 External Source XF libxpm-image-bo(18142):
https://exchange.xforce.ibmcloud.com/vulnerabilities/18144 External Source XF libxpm-improper-memory-access(18144):
https://exchange.xforce.ibmcloud.com/vulnerabilities/18145 External Source XF libxpm-command-execution(18145):
https://exchange.xforce.ibmcloud.com/vulnerabilities/18146 External Source XF libxpm-directory-traversal(18146):
https://exchange.xforce.ibmcloud.com/vulnerabilities/18147 External Source XF libxpm-dos(18147)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9943 External Source OVAL oval:org.mitre.oval:def:9943

References to Check Content

Identifier:
oval:org.mitre.oval:def:9943
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9943

Technical Details

Vulnerability Type (View All)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:lesstif:lesstif:0.93:*:*:*:*:*:*:*
cpe:2.3:a:lesstif:lesstif:0.93.12:*:*:*:*:*:*:*
cpe:2.3:a:lesstif:lesstif:0.93.18:*:*:*:*:*:*:*
cpe:2.3:a:lesstif:lesstif:0.93.34:*:*:*:*:*:*:*
cpe:2.3:a:lesstif:lesstif:0.93.36:*:*:*:*:*:*:*
cpe:2.3:a:lesstif:lesstif:0.93.40:*:*:*:*:*:*:*
cpe:2.3:a:lesstif:lesstif:0.93.91:*:*:*:*:*:*:*
cpe:2.3:a:lesstif:lesstif:0.93.94:*:*:*:*:*:*:*
cpe:2.3:a:lesstif:lesstif:0.93.96:*:*:*:*:*:*:*
cpe:2.3:a:x.org:x11r6:6.7.0:*:*:*:*:*:*:*
cpe:2.3:a:x.org:x11r6:6.8:*:*:*:*:*:*:*
cpe:2.3:a:x.org:x11r6:6.8.1:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:3.3:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:3.3.2:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:3.3.3:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:3.3.4:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:3.3.5:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:3.3.6:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.0:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.0.2.11:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.0.3:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.1.0:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.1.11:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.1.12:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.2.1:*:errata:*:*:*:*:*
cpe:2.3:a:xfree86_project:x11r6:4.3.0:*:*:*:*:*:*:*
Configuration 2
OR
cpe:2.3:o:gentoo:linux:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:fedora_core:core_2.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:fedora_core:core_3.0:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux:1.0:*:desktop:*:*:*:*:*
cpe:2.3:o:suse:suse_linux:8:*:enterprise_server:*:*:*:*:*
cpe:2.3:o:suse:suse_linux:8.1:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux:8.2:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux:9.0:*:enterprise_server:*:*:*:*:*
cpe:2.3:o:suse:suse_linux:9.1:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux:9.2:*:*:*:*:*:*:*

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 4 change records found - show changes