--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated gtk2 packages fixes security issues Advisory ID: FLSA:155510 Issue date: 2005-12-17 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0753 CVE-2004-0782 CVE-2004-0783 CVE-2004-0788 CVE-2005-0891 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated gtk2 packages that fix several security flaws are now available. The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: During testing of a previously fixed flaw in Qt (CVE-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0753 to this issue. During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CVE-2004-0782, CVE-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CVE-2004-0788) A bug was found in the way gtk2 processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gtk2. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0891 to this issue. Users of gtk2 are advised to upgrade to these packages which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155510 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gtk2-2.0.2-4.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/gtk2-2.0.2-4.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/gtk2-devel-2.0.2-4.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gtk2-2.2.1-4.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/gtk2-2.2.1-4.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/gtk2-devel-2.2.1-4.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gtk2-2.2.4-10.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/gtk2-2.2.4-10.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/gtk2-devel-2.2.4-10.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- f923e47859f2b8e973a19978baa299a9eb9510b9 redhat/7.3/updates/i386/gtk2-2.0.2-4.2.legacy.i386.rpm 0b42963350b57d6c8f4d77fc9e611d6e976d80b1 redhat/7.3/updates/i386/gtk2-devel-2.0.2-4.2.legacy.i386.rpm e975fad01109fe3e9efb1b1ab2d47db32b0b83ee redhat/7.3/updates/SRPMS/gtk2-2.0.2-4.2.legacy.src.rpm 5d06ac2e6c81087e13c175b457116c0fd6950057 redhat/9/updates/i386/gtk2-2.2.1-4.2.legacy.i386.rpm 99ef7dc3fdd67673358acc791ef306b914653271 redhat/9/updates/i386/gtk2-devel-2.2.1-4.2.legacy.i386.rpm 8ada7b7f6ee51a281d6e0079aba0f2c150fdbf06 redhat/9/updates/SRPMS/gtk2-2.2.1-4.2.legacy.src.rpm be0ba4a1776f9849cd5734ccb655b9dabb97011b fedora/1/updates/i386/gtk2-2.2.4-10.3.legacy.i386.rpm 501aa3181b863c6904004ec8ef5c9e38cef77652 fedora/1/updates/i386/gtk2-devel-2.2.4-10.3.legacy.i386.rpm 76c60fd3ca93a1291f6bb60403b3c080323fa855 fedora/1/updates/SRPMS/gtk2-2.2.4-10.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0891 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature