MDKSA-2005:133 - Updated netpbm packages fix temporary file vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: netpbm
Advisory ID: MDKSA-2005:133
Date: August 9th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
Max Vozeler discovered that pstopnm, a part of the netpbm graphics
utility suite, would call the GhostScript interpreter on untrusted
PostScript files without using the -dSAFER option when converting a
PostScript file into a PBM, PGM, or PNM file. This could result in
the execution of arbitrary commands with the privileges of the user
running pstopnm if they could be convinced to try to convert a
malicious PostScript file.
The updated packages have been patched to correct this problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2471
http://secunia.com/advisories/16184/
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
7bb710a56342cc78170bb74b37f512b0 10.0/RPMS/libnetpbm9-9.24-8.2.100mdk.i586.rpm
7f820a3e8fcfaa705c0164cfd1b7a5c0
10.0/RPMS/libnetpbm9-devel-9.24-8.2.100mdk.i586.rpm
3de55337645f009ed8e951b3e97b9507
10.0/RPMS/libnetpbm9-static-devel-9.24-8.2.100mdk.i586.rpm
d32febe43b6b19ca7a3189b41de6d53c 10.0/RPMS/netpbm-9.24-8.2.100mdk.i586.rpm
7d2bdf5636955adc39bfe13c4c581858 10.0/SRPMS/netpbm-9.24-8.2.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
04a7546fef5edfa604cdfd1e3dff1bc2
amd64/10.0/RPMS/lib64netpbm9-9.24-8.2.100mdk.amd64.rpm
f89f7f330ecb8dd8e9a536afdcfb56f0
amd64/10.0/RPMS/lib64netpbm9-devel-9.24-8.2.100mdk.amd64.rpm
0401393af2d5b3a933b487a1e00e3e43
amd64/10.0/RPMS/lib64netpbm9-static-devel-9.24-8.2.100mdk.amd64.rpm
2400c52abc020a3ac9883bc02dc77f36
amd64/10.0/RPMS/netpbm-9.24-8.2.100mdk.amd64.rpm
7d2bdf5636955adc39bfe13c4c581858
amd64/10.0/SRPMS/netpbm-9.24-8.2.100mdk.src.rpm
Mandrakelinux 10.1:
0c7ca6675e4a1502dc450d8b31076753 10.1/RPMS/libnetpbm9-9.24-8.1.101mdk.i586.rpm
ac327d0433d6c672e382a2c1f4dc8667
10.1/RPMS/libnetpbm9-devel-9.24-8.1.101mdk.i586.rpm
dee01cf52709fbbc65f3a0c21d4573d9
10.1/RPMS/libnetpbm9-static-devel-9.24-8.1.101mdk.i586.rpm
6c9bedecf233accd53f123f3c2a26aec 10.1/RPMS/netpbm-9.24-8.1.101mdk.i586.rpm
8722f08f1813fb796d7b5fa8576f6045 10.1/SRPMS/netpbm-9.24-8.1.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
9b99ec325088181a931983f622c7649f
x86_64/10.1/RPMS/lib64netpbm9-9.24-8.1.101mdk.x86_64.rpm
119d4f558fddb4bafee84dc5da3f0c8a
x86_64/10.1/RPMS/lib64netpbm9-devel-9.24-8.1.101mdk.x86_64.rpm
13e9911031dc3d8b23da2157451f89a8
x86_64/10.1/RPMS/lib64netpbm9-static-devel-9.24-8.1.101mdk.x86_64.rpm
6637e848b29abe54142155f66ac79fb9
x86_64/10.1/RPMS/netpbm-9.24-8.1.101mdk.x86_64.rpm
8722f08f1813fb796d7b5fa8576f6045
x86_64/10.1/SRPMS/netpbm-9.24-8.1.101mdk.src.rpm
Mandrakelinux 10.2:
4db608229fad2d6014ea506ad775e9f8
10.2/RPMS/libnetpbm10-10.26-2.1.102mdk.i586.rpm
4fd7e7857c692209d4c94a8a5ebe84cc
10.2/RPMS/libnetpbm10-devel-10.26-2.1.102mdk.i586.rpm
4521de30a4e9ee995200ae0c1443132b
10.2/RPMS/libnetpbm10-static-devel-10.26-2.1.102mdk.i586.rpm
a3b5efc89e18489ef2cd181b20a1dc1b 10.2/RPMS/netpbm-10.26-2.1.102mdk.i586.rpm
52d2d1a460d07b33fbe7f6204d1cf51f 10.2/SRPMS/netpbm-10.26-2.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
37912f8c31bd31b979bfdb69ad357837
x86_64/10.2/RPMS/lib64netpbm10-10.26-2.1.102mdk.x86_64.rpm
928a397b673e96ed0fecdd62878aef84
x86_64/10.2/RPMS/lib64netpbm10-devel-10.26-2.1.102mdk.x86_64.rpm
b74c96495461b1406af317e91932500e
x86_64/10.2/RPMS/lib64netpbm10-static-devel-10.26-2.1.102mdk.x86_64.rpm
30ae5cd7a9e65594e30cf876f352fda6
x86_64/10.2/RPMS/netpbm-10.26-2.1.102mdk.x86_64.rpm
52d2d1a460d07b33fbe7f6204d1cf51f
x86_64/10.2/SRPMS/netpbm-10.26-2.1.102mdk.src.rpm
Corporate Server 2.1:
f42bccdec9b6f8a432191730b85d186c
corporate/2.1/RPMS/libnetpbm9-9.24-4.4.C21mdk.i586.rpm
3e877555a0533572d788a4d47694bccd
corporate/2.1/RPMS/libnetpbm9-devel-9.24-4.4.C21mdk.i586.rpm
57dcadc0b0d94243894bccdaf17acf8a
corporate/2.1/RPMS/libnetpbm9-static-devel-9.24-4.4.C21mdk.i586.rpm
1fa1e01964db5302ddc773c2be67ca6b
corporate/2.1/RPMS/netpbm-9.24-4.4.C21mdk.i586.rpm
511aeb9ce3bdb6429e8a8ce06b873b6b
corporate/2.1/SRPMS/netpbm-9.24-4.4.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
6dfd39d7a3b0db15b273b2b7b7db01c4
x86_64/corporate/2.1/RPMS/libnetpbm9-9.24-4.4.C21mdk.x86_64.rpm
50c24455f7b43e1f7fe7581a12655c39
x86_64/corporate/2.1/RPMS/libnetpbm9-devel-9.24-4.4.C21mdk.x86_64.rpm
b947dcdb4226298cb90c644cce9dbd4c
x86_64/corporate/2.1/RPMS/libnetpbm9-static-devel-9.24-4.4.C21mdk.x86_64.rpm
e1ace7d529c4adc3cc4e64d116467e0b
x86_64/corporate/2.1/RPMS/netpbm-9.24-4.4.C21mdk.x86_64.rpm
511aeb9ce3bdb6429e8a8ce06b873b6b
x86_64/corporate/2.1/SRPMS/netpbm-9.24-4.4.C21mdk.src.rpm
Corporate 3.0:
b086f97cc2bad2023fd2446135e00def
corporate/3.0/RPMS/libnetpbm9-9.24-8.2.C30mdk.i586.rpm
768f2b273391c3cb4d39790ac91b40c4
corporate/3.0/RPMS/libnetpbm9-devel-9.24-8.2.C30mdk.i586.rpm
7f6eb96aef5065be7370f1954b252dee
corporate/3.0/RPMS/libnetpbm9-static-devel-9.24-8.2.C30mdk.i586.rpm
1b2c5cb64efceac8a39d1d84aa362f2d
corporate/3.0/RPMS/netpbm-9.24-8.2.C30mdk.i586.rpm
435e2548bed0da6bc4519910e3bae83f
corporate/3.0/SRPMS/netpbm-9.24-8.2.C30mdk.src.rpm
Corporate 3.0/X86_64:
c6fcd7a90094eeae7e67ee56d71d3e22
x86_64/corporate/3.0/RPMS/lib64netpbm9-9.24-8.2.C30mdk.x86_64.rpm
a8d06987e1aacb0c9ab174082bc024a0
x86_64/corporate/3.0/RPMS/lib64netpbm9-devel-9.24-8.2.C30mdk.x86_64.rpm
2653e371af14609096eb2ed9ef7e5963
x86_64/corporate/3.0/RPMS/lib64netpbm9-static-devel-9.24-8.2.C30mdk.x86_64.rpm
7b93e604b00f197a77e49fe94a3cd612
x86_64/corporate/3.0/RPMS/netpbm-9.24-8.2.C30mdk.x86_64.rpm
435e2548bed0da6bc4519910e3bae83f
x86_64/corporate/3.0/SRPMS/netpbm-9.24-8.2.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFC+lMPmqjQ0CJFipgRAkreAJ4kAZA+Mh+k65v3cr5ZUpDVun4QYwCdF6NJ
ooCqglOMXw6xMoN8W8h8m9g=
=tJMw
-----END PGP SIGNATURE-----