--get your your Linux knowledge
> Linux Reviews > News and headlines > 2004 News archive > September >

Possibly serious security risk in imlib-library, Linux users are urged to update

Imlib is a image library used to display graphics used by Gnome and many important Linux applications. The library has a bug that allows evil code to be executed on your computer just by opening a carefully crafted image with a program that uses it to display graphics.

Gentoo Linux released a Security Advisory about BMP decoding buffer overflows in ImageMagick, imlib and imlib2.

ImageMagick and imlib checks bounds improperly and are vulnerable to buffer overflow attacks by using carefully crafted BMP images. Potentially, viewing a carefully crafted image using any application that uses imlib to display graphics could cause evil code to be executed on your computer.

Linux users should upgrade the libraries to imagemagick >=, imlib >= 1.9.14 and imlib2 >= 1.1.2.**

More information:

Several buffer overflows are also found in LHa, a a console-based program for handling LHarc archives. This is a very uncommon archiving format and is not, even though the holes themselves may be serious, a big issue. Updates LHarc packages are available for Gentoo, Fedora and most distributions.

More information:

What's the big deal? Headlines like "Pair of Linux Holes Put Users at Risk" (eweek) and other scandal-like stores flourish in the media this week. This story has become "huge".

Here is some information that will help you avoid being stuck with fear if updates packages are not yet available for your distribution:

  • BMP is a very old and useless graphics image format, not used by anyone for anything these days. The chances of stumbling into this file-type is slim. Just ask the sender to convert the file to another format if you ever receive a BMP file, and never open BMP files until you are sure your system is upgraded.
    • Summary: Never open BMP files
  • LHarc is a very old tool, also not used by anyone for anything. And it's not even a standard part of most modern Linux-distributions anymore.
    • Summary: No threat.

News and headlines

Meet new people