X.Org Foundation SECURITY ADVISORY  2004-09-15
	      ==============================================

Brookline MA, September 15, 2004 - X.Org has been made aware of a
possible security vunerability in libXpm, the X Pixmap library which 
is shipped as part of the X Window System. The affected library is 
used in many popular application for image viewing and manipulation.

Several stack overflows and integer overflows have been identified 
which may allow malicious XPM files to crash applications linking 
against libXpm. Furthermore the overflows may also be exploited to 
execute code under the account of the user running an allication 
linked against libXpm.
The CVE numbers for these vulnerabilities are CAN-2004-0687 (integer
overflows) and CAN-2004-0688 (stack overflows).
Please check also:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688

This advisory affects all known versions and releases of the 
X Window System shipping versions of libXpm, whether from X.Org or 
other vendors. Therefore users are strongly recommended to upgrade.

A fix is available under:
  http://www.x.org/pub/X11R6.8.0/patches/xorg-CAN-2004-0687-0688.patch

X.Org will provide a security update release for X11 R6.8.0 shortly.
Vendors shipping releases of the X Window System have been informed
and will provide updates for their software.

The X.Org Foundation would like to thank Chris Evans for identifying
the security exploits as well as Matthieu Herrb and Alan Coopersmith 
for providing a patch.