--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated libungif packages fix security issues Advisory ID: FLSA:174479 Issue date: 2006-03-16 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2974 CVE-2005-3350 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated libungif packages that fix two security issues are now available. The libungif package contains a shared library of functions for loading and saving GIF format image files. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Several bugs in the way libungif decodes GIF images were discovered. An attacker could create a carefully crafted GIF image file in such a way that it could cause an application linked with libungif to crash or execute arbitrary code when the file is opened by a victim. The Common Vulnerabilities and Exposures project has assigned the names CVE-2005-2974 and CVE-2005-3350 to these issues. All users of libungif are advised to upgrade to these updated packages, which contain backported patches that resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174479 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/libungif-4.1.0-10.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/libungif-4.1.0-10.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/libungif-devel-4.1.0-10.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/libungif-progs-4.1.0-10.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/libungif-4.1.0-15.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/libungif-4.1.0-15.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/libungif-devel-4.1.0-15.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/libungif-progs-4.1.0-15.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/libungif-4.1.0-16.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/libungif-4.1.0-16.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/libungif-devel-4.1.0-16.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/libungif-progs-4.1.0-16.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/libungif-4.1.0-17.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/libungif-4.1.0-17.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/libungif-devel-4.1.0-17.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/libungif-progs-4.1.0-17.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 540bf946dff308b065de73d7ce6ab9eb8d8c504a redhat/7.3/updates/i386/libungif-4.1.0-10.2.legacy.i386.rpm 840791ef661042f779275b7c835760ab521a8d80 redhat/7.3/updates/i386/libungif-devel-4.1.0-10.2.legacy.i386.rpm 81f2ed8f2bae2785ec2820234875b870f583c7ce redhat/7.3/updates/i386/libungif-progs-4.1.0-10.2.legacy.i386.rpm 8e039159be2bf479bf2bdb84ebadc2a364b3bd06 redhat/7.3/updates/SRPMS/libungif-4.1.0-10.2.legacy.src.rpm c78cfe7b9a7e46d45865fcebad0956efb8962970 redhat/9/updates/i386/libungif-4.1.0-15.2.legacy.i386.rpm 1b8a2ff811fca4b56850adfc5fc602bd140876d8 redhat/9/updates/i386/libungif-devel-4.1.0-15.2.legacy.i386.rpm 35f6365684cec0da676b5c5fea9bdf2e9863d1ff redhat/9/updates/i386/libungif-progs-4.1.0-15.2.legacy.i386.rpm cb023ca008db9d81ad6d730cb714cb1f51ea97f3 redhat/9/updates/SRPMS/libungif-4.1.0-15.2.legacy.src.rpm 351c84419dfff38690db6f343fa91a41e6b2af1e fedora/1/updates/i386/libungif-4.1.0-16.2.legacy.i386.rpm 72af8bc46a9deb31ede1fc773866e67f20f0da0b fedora/1/updates/i386/libungif-devel-4.1.0-16.2.legacy.i386.rpm 3d36816c8ec4479647419402be97568fade3088e fedora/1/updates/i386/libungif-progs-4.1.0-16.2.legacy.i386.rpm 92a4859d10e58f5abc85e7e22c89e4cf4911fbf0 fedora/1/updates/SRPMS/libungif-4.1.0-16.2.legacy.src.rpm 3a87b57220b6b788150d240977774dc54f6732fe fedora/2/updates/i386/libungif-4.1.0-17.3.legacy.i386.rpm c2d7e51e31ecb48546712d0c6f9998601af6daec fedora/2/updates/i386/libungif-devel-4.1.0-17.3.legacy.i386.rpm fbde1aceba27f12aacb41c8acbe2cf58a59cc121 fedora/2/updates/i386/libungif-progs-4.1.0-17.3.legacy.i386.rpm 609e3081132c7dca0da32f631e5ec4117df51265 fedora/2/updates/SRPMS/libungif-4.1.0-17.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3350 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature