We received the following report via vendor-sec.
The issue is (semi?) public through redhat bugzilla.
Marcus I'll assign to you since you handled the last imlib case as
well.

Date: Tue, 9 Nov 2004 10:41:19 +0100 (MET)
From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0782-like vulnerability in Imlib 1.9

Imlib's XPM decoder is buggy. The attached XPM file kills it.

I made a jumbo patch for Fedora Legacy 7.3's Imlib 1.3.19 fixing this
and many other bugs (minus bugs already fixed by other patches such as 
patch for CAN-2004-0817) as well as introducing many preventive checks.
See the attached file. But remember, Imlib code is such a piece of
terrible mess (burn in hell, Rasterman!...sorry, I could not help...),
I might have missed something.

See also https://bugzilla.fedora.us/show_bug.cgi?id=2051#c11.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."