CVE-2016-10164

Summary

CVE	CVE-2016-10164
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-02-01 15:59:00 UTC
Updated	2023-10-17 15:55:00 UTC
Description	Multiple integer overflows in libXpm before 3.5.12, when a program requests parsing XPM extensions on a 64-bit platform, allow remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via (1) the number of extensions or (2) their concatenated length in a crafted XPM file, which triggers a heap-based buffer overflow.

Risk And Classification

Problem Types: CWE-119 | CWE-787 | CWE-190

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Libxpm Project	Libxpm	All	All	All	All
Application	X.org	Libxpm	All	All	All	All

References

Reference	Source	Link	Tags
Red Hat Customer Portal	REDHAT	access.redhat.com
oss-security - Re: CVE Request: libXpm < 3.5.12 heap overflow	MLIST	www.openwall.com	Mailing List, Patch, Third Party Advisory
oss-security - CVE Request: libXpm < 3.5.12 heap overflow	MLIST	www.openwall.com	Mailing List, Patch, Third Party Advisory
xorg/lib/libXpm - XPM format pixmap library	CONFIRM	cgit.freedesktop.org	Issue Tracking, Patch, Third Party Advisory
[ANNOUNCE] libXpm 3.5.12	MLIST	lists.freedesktop.org	Issue Tracking, Patch, Third Party Advisory
Debian -- Security Information -- DSA-3772-1 libxpm	DEBIAN	www.debian.org
libXpm: Remote execution of arbitrary code (GLSA 201701-72) — Gentoo security	GENTOO	security.gentoo.org
libXpm CVE-2016-10164 Heap Based Buffer Overflow Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

673503 EulerOS Security Update for motif (EulerOS-SA-2024-1283)
710454 Gentoo Linux libXpm Remote execution of arbitrary code Vulnerability (GLSA 201701-72)