CVE-2005-0638

Name of the Vulnerable Software and Affected Versions xloadimage versions prior to 4.1-r2 xli versions prior to 1.17

Description The issue allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images. This is due to the filenames not being properly quoted when calling the gunzip command. Multiple vulnerabilities in the xli package may lead to a breach of confidentiality, integrity, and availability of protected information, and can be exploited remotely.

Recommendations For xloadimage versions prior to 4.1-r2, update to version 4.1-r2 or later. For xli versions prior to 1.17, update to version 1.17 or later. As a temporary workaround, consider restricting the use of the gunzip command with untrusted input until a patch is available. Avoid using the xloadimage and xli packages with compressed images from untrusted sources until the issue is resolved.