--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated qt packages fixes security issues Advisory ID: FLSA:152763 Issue date: 2005-05-12 Product: Red Hat Linux Keywords: Bugfix CVE Names: CAN-2004-0691 CAN-2004-0692 CAN-2004-0693 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated qt packages that fix security issues in several of the image decoders are now available. Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: During a security audit, Chris Evans discovered a heap overflow in the BMP image decoder in Qt versions prior to 3.3.3. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with Qt to crash or possibly execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0691 to this issue. Additionally, various flaws were discovered in the GIF, XPM, and JPEG decoders in Qt versions prior to 3.3.3. An attacker could create carefully crafted image files in such a way that it could cause an application linked against Qt to crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0692 and CAN-2004-0693 to these issues. Users of Qt should update to these updated packages which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152763 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/qt2-2.3.1-4.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/qt-3.0.5-7.16.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt2-2.3.1-4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt2-designer-2.3.1-4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt2-devel-2.3.1-4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt2-static-2.3.1-4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt2-Xt-2.3.1-4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-3.0.5-7.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-designer-3.0.5-7.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-devel-3.0.5-7.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-MySQL-3.0.5-7.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-ODBC-3.0.5-7.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-PostgreSQL-3.0.5-7.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-static-3.0.5-7.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-Xt-3.0.5-7.16.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/qt2-2.3.1-14.legacy.src.rpm http://download.fedoralegacy.org/redhat/9/updates/SRPMS/qt-3.1.1-8.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/qt2-2.3.1-14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt2-designer-2.3.1-14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt2-devel-2.3.1-14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt2-static-2.3.1-14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt2-Xt-2.3.1-14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt-3.1.1-8.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt-designer-3.1.1-8.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt-devel-3.1.1-8.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt-MySQL-3.1.1-8.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt-ODBC-3.1.1-8.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt-PostgreSQL-3.1.1-8.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/qt-Xt-3.1.1-8.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 31dd5bcfd8477e31b15e0cdc52830a23024ada53 redhat/7.3/updates/i386/qt2-2.3.1-4.legacy.i386.rpm 666926b1e02da9edcf44d025fee98326c86cd62d redhat/7.3/updates/i386/qt2-designer-2.3.1-4.legacy.i386.rpm f8abe3a856df3b6f6328e3a097b47d0e5f2c270e redhat/7.3/updates/i386/qt2-devel-2.3.1-4.legacy.i386.rpm 7916b1d34f01c8f30d0f99485e2a2d3882fa85fd redhat/7.3/updates/i386/qt2-static-2.3.1-4.legacy.i386.rpm 9c9876dc717734169f27e0eaa4daeb2ab70ff61f redhat/7.3/updates/i386/qt2-Xt-2.3.1-4.legacy.i386.rpm 45de88207a2ed8fcc9f6b9e25e38b7ecd2c3c543 redhat/7.3/updates/i386/qt-3.0.5-7.16.legacy.i386.rpm f93cc80d6ef57b73c6be11cd055e5f7158b102fa redhat/7.3/updates/i386/qt-designer-3.0.5-7.16.legacy.i386.rpm b8301c059ecb90c497812f082e226cb504505ff2 redhat/7.3/updates/i386/qt-devel-3.0.5-7.16.legacy.i386.rpm d2168c04a5ad203d85b61217351f702a93b937e2 redhat/7.3/updates/i386/qt-MySQL-3.0.5-7.16.legacy.i386.rpm 0ec08637df7a76b3512ecebc8705776770b797eb redhat/7.3/updates/i386/qt-ODBC-3.0.5-7.16.legacy.i386.rpm 3374709a77752ffb1db8f4f4e82e67af58745007 redhat/7.3/updates/i386/qt-PostgreSQL-3.0.5-7.16.legacy.i386.rpm f717c6632e65f2f18d99a76d19716e4c1f39445e redhat/7.3/updates/i386/qt-static-3.0.5-7.16.legacy.i386.rpm a90a2ae47135a28830fb099dd9acdcfd1f83e199 redhat/7.3/updates/i386/qt-Xt-3.0.5-7.16.legacy.i386.rpm c9c98eff73d7fe6147ffa72baba764cdbfdd0d93 redhat/7.3/updates/SRPMS/qt2-2.3.1-4.legacy.src.rpm 884033926f37ed56e60a750a9ad394436f8b9b4a redhat/7.3/updates/SRPMS/qt-3.0.5-7.16.legacy.src.rpm db6801606256ca8a27eb53737981194e0a1ea01c redhat/9/updates/i386/qt2-2.3.1-14.legacy.i386.rpm 7f1718735932279b4a8a7ff480cda6186f4e0b52 redhat/9/updates/i386/qt2-designer-2.3.1-14.legacy.i386.rpm 39fec48edde4bec460fba6781c19551a2454d52e redhat/9/updates/i386/qt2-devel-2.3.1-14.legacy.i386.rpm 4aeee3f5f2db49275838920f4980b24f074aa1dc redhat/9/updates/i386/qt2-static-2.3.1-14.legacy.i386.rpm a8c42841b7d5184f4668890bd04aa68c62fc23cb redhat/9/updates/i386/qt2-Xt-2.3.1-14.legacy.i386.rpm 18f51017809f1a78289b3b1756c6944ef0c1ca71 redhat/9/updates/i386/qt-3.1.1-8.legacy.i386.rpm c275220a14e1d3f67494eda9674b112dd1925aa7 redhat/9/updates/i386/qt-designer-3.1.1-8.legacy.i386.rpm 4c90b5e9ffdc7c572c0cf4474cda40c46f07c5c0 redhat/9/updates/i386/qt-devel-3.1.1-8.legacy.i386.rpm bb50a60d29c5b97a5033839f900781c1d7fa6af6 redhat/9/updates/i386/qt-MySQL-3.1.1-8.legacy.i386.rpm 7f79b8bcad7a045614ac3f6cd34af6c2ee365cce redhat/9/updates/i386/qt-ODBC-3.1.1-8.legacy.i386.rpm 2fa4db773641f4f0d67fddd2479a6d992e847825 redhat/9/updates/i386/qt-PostgreSQL-3.1.1-8.legacy.i386.rpm 9537f1669fce9e3a9d9836e892e850315b7ecf39 redhat/9/updates/i386/qt-Xt-3.1.1-8.legacy.i386.rpm a3ad6d0143139b7fa537cdcf7c121ce120d0bd92 redhat/9/updates/SRPMS/qt2-2.3.1-14.legacy.src.rpm a5bd53a0a7be64720c4a70510344a5bd5ae5c64b redhat/9/updates/SRPMS/qt-3.1.1-8.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature