[Full-Disclosure] MDKSA-2004:095-1 - Updated gdk-pixbuf and gtk+2 packages fix image loading vulnerabilities

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 09/17/04

  • Next message: jklemenc_at_fnal.gov: "[Full-Disclosure] Re: Windows XP JPEG Buffer Overflow"
    To: full-disclosure@lists.netsys.com
    Date: 17 Sep 2004 20:42:19 -0000
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                     Mandrakelinux Security Update Advisory
     _______________________________________________________________________

     Package name: gdk-pixbuf/gtk+2
     Advisory ID: MDKSA-2004:095-1
     Date: September 17th, 2004
     Original Advisory Date: September 15th, 2004
     Affected versions: 10.0, 9.2
     ______________________________________________________________________

     Problem Description:

     A vulnerability was found in the gdk-pixbug bmp loader where a bad BMP
     image could send the bmp loader into an infinite loop (CAN-2004-0753).
     
     Chris Evans found a heap-based overflow and a stack-based overflow in
     the xpm loader of gdk-pixbuf (CAN-2004-0782 and CAN-2004-0783).
     
     Chris Evans also discovered an integer overflow in the ico loader of
     gdk-pixbuf (CAN-2004-0788).
     
     All four problems have been corrected in these updated packages.
      
    Update:

     The previous package had an incorrect patch applied that would cause
     some problems with other programs. The updated packages have the
     correct patch applied.
     
     As well, patched gtk+2 packages, which also contain gdk-pixbuf, are
     now provided.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0753
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0782
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0783
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0788
     ______________________________________________________________________

     Updated Packages:
      
     Mandrakelinux 10.0:
     8e876939c906d6f9dd26df036c7034c1 10.0/RPMS/gdk-pixbuf-loaders-0.22.0-2.2.100mdk.i586.rpm
     ee4ccc32d2c7d17ad602ba391c1c46ff 10.0/RPMS/libgdk-pixbuf-gnomecanvas1-0.22.0-2.2.100mdk.i586.rpm
     b1e29d741dfd0b4db56085e346663d66 10.0/RPMS/libgdk-pixbuf-xlib2-0.22.0-2.2.100mdk.i586.rpm
     acd358e06b571209fa07ed81d6f08c6f 10.0/RPMS/libgdk-pixbuf2-0.22.0-2.2.100mdk.i586.rpm
     6f866e24c433387958ff737bcdf5e424 10.0/RPMS/libgdk-pixbuf2-devel-0.22.0-2.2.100mdk.i586.rpm
     d8083e6a741ba196202b3beba6ec6533 10.0/SRPMS/gdk-pixbuf-0.22.0-2.2.100mdk.src.rpm
     d49f667b621b191ef971380f46323fb3 10.0/RPMS/gtk+2.0-2.2.4-10.1.100mdk.i586.rpm
     b6582a8ad1236a1d69bdbdbe5188234a 10.0/RPMS/libgdk_pixbuf2.0_0-2.2.4-10.1.100mdk.i586.rpm
     3eca5e1e74c3cda7cd8e5344388c47d2 10.0/RPMS/libgdk_pixbuf2.0_0-devel-2.2.4-10.1.100mdk.i586.rpm
     3803aa8ad8bf2cfa552e8dc3035d529a 10.0/RPMS/libgtk+-linuxfb-2.0_0-2.2.4-10.1.100mdk.i586.rpm
     141d8446994456d82389932eeffe33cf 10.0/RPMS/libgtk+-linuxfb-2.0_0-devel-2.2.4-10.1.100mdk.i586.rpm
     56f8b5bb0aeaaeccd582250868008695 10.0/RPMS/libgtk+-x11-2.0_0-2.2.4-10.1.100mdk.i586.rpm
     a56a6e8aecb12b48b0f9de75d987a035 10.0/RPMS/libgtk+2.0_0-2.2.4-10.1.100mdk.i586.rpm
     690b201975e573c5467a6767fb349beb 10.0/RPMS/libgtk+2.0_0-devel-2.2.4-10.1.100mdk.i586.rpm
     80b1d38274cffc8796e5a3ab205f3e7d 10.0/SRPMS/gtk+2.0-2.2.4-10.1.100mdk.src.rpm

     Mandrakelinux 10.0/AMD64:
     3205a9334ed0de43d3d5c26a2294e800 amd64/10.0/RPMS/gdk-pixbuf-loaders-0.22.0-2.2.100mdk.amd64.rpm
     924018f6f4abe98841068c1708229e09 amd64/10.0/RPMS/lib64gdk-pixbuf-gnomecanvas1-0.22.0-2.2.100mdk.amd64.rpm
     5a14fee773367fc440566e7922a09579 amd64/10.0/RPMS/lib64gdk-pixbuf-xlib2-0.22.0-2.2.100mdk.amd64.rpm
     13b76036783088ade2f56b697cc8c2ac amd64/10.0/RPMS/lib64gdk-pixbuf2-0.22.0-2.2.100mdk.amd64.rpm
     f8375076c5c0de45494b717fc86f7c97 amd64/10.0/RPMS/lib64gdk-pixbuf2-devel-0.22.0-2.2.100mdk.amd64.rpm
     d8083e6a741ba196202b3beba6ec6533 amd64/10.0/SRPMS/gdk-pixbuf-0.22.0-2.2.100mdk.src.rpm
     b5dc1e354716a812c2b1eaffb69029f9 amd64/10.0/RPMS/gtk+2.0-2.2.4-10.1.100mdk.amd64.rpm
     ddcf934113e300381b3f0311cd7df849 amd64/10.0/RPMS/lib64gdk_pixbuf2.0_0-2.2.4-10.1.100mdk.amd64.rpm
     b003aa7e7f825327a6e2b18d0be53fb1 amd64/10.0/RPMS/lib64gdk_pixbuf2.0_0-devel-2.2.4-10.1.100mdk.amd64.rpm
     1f6b5579bf13a04eefa01686feec455f amd64/10.0/RPMS/lib64gtk+-linuxfb-2.0_0-2.2.4-10.1.100mdk.amd64.rpm
     ce660c9b9e0111a0fef8178732d4f614 amd64/10.0/RPMS/lib64gtk+-linuxfb-2.0_0-devel-2.2.4-10.1.100mdk.amd64.rpm
     cb3e62c954221b745bb0dc0288674f3f amd64/10.0/RPMS/lib64gtk+-x11-2.0_0-2.2.4-10.1.100mdk.amd64.rpm
     546d7b306fb21cd6cc15eb9fc383a2d0 amd64/10.0/RPMS/lib64gtk+2.0_0-2.2.4-10.1.100mdk.amd64.rpm
     3c3c00ceb1235d58e6f6b9e6bbe9044a amd64/10.0/RPMS/lib64gtk+2.0_0-devel-2.2.4-10.1.100mdk.amd64.rpm
     80b1d38274cffc8796e5a3ab205f3e7d amd64/10.0/SRPMS/gtk+2.0-2.2.4-10.1.100mdk.src.rpm

     Mandrakelinux 9.2:
     bf8f3710f9792ea4a3129410afbf1cda 9.2/RPMS/gdk-pixbuf-loaders-0.22.0-2.2.92mdk.i586.rpm
     2ab77930f412c6f3a0373134b24b1165 9.2/RPMS/libgdk-pixbuf-gnomecanvas1-0.22.0-2.2.92mdk.i586.rpm
     0a4c0705ff1c118424b1570a9b2acc2f 9.2/RPMS/libgdk-pixbuf-xlib2-0.22.0-2.2.92mdk.i586.rpm
     95d4691c391b146db6ff14619dd53227 9.2/RPMS/libgdk-pixbuf2-0.22.0-2.2.92mdk.i586.rpm
     020d320f39d69ce1e3b340938eac0256 9.2/RPMS/libgdk-pixbuf2-devel-0.22.0-2.2.92mdk.i586.rpm
     a7f6afac10617f2171f8a796987ba0fb 9.2/SRPMS/gdk-pixbuf-0.22.0-2.2.92mdk.src.rpm
     328642197df7603b7ff700d3b5ca12cf 9.2/RPMS/gtk+2.0-2.2.4-2.1.92mdk.i586.rpm
     1650e731804b10685bb1b0ccf101b389 9.2/RPMS/libgdk_pixbuf2.0_0-2.2.4-2.1.92mdk.i586.rpm
     5722237cd995567e4ed3be4139d9d96d 9.2/RPMS/libgdk_pixbuf2.0_0-devel-2.2.4-2.1.92mdk.i586.rpm
     f26d81eed60057e456fffe42a9a01437 9.2/RPMS/libgtk+-linuxfb-2.0_0-2.2.4-2.1.92mdk.i586.rpm
     daa0ca425129e332476c4fc8f9709ff1 9.2/RPMS/libgtk+-linuxfb-2.0_0-devel-2.2.4-2.1.92mdk.i586.rpm
     da70d8bdacb5c1d2e9d301a389ddb82e 9.2/RPMS/libgtk+-x11-2.0_0-2.2.4-2.1.92mdk.i586.rpm
     8a66354ff887f9d280681759734509c0 9.2/RPMS/libgtk+2.0_0-2.2.4-2.1.92mdk.i586.rpm
     d0c7f1573d1e3368814ec9c35ea6dd5a 9.2/RPMS/libgtk+2.0_0-devel-2.2.4-2.1.92mdk.i586.rpm
     5dc4e93ced7632259aaf1278c38dd347 9.2/SRPMS/gtk+2.0-2.2.4-2.1.92mdk.src.rpm

     Mandrakelinux 9.2/AMD64:
     e6fa6dcf9860cbcde2d2dda9414e22a8 amd64/9.2/RPMS/gdk-pixbuf-loaders-0.22.0-2.2.92mdk.amd64.rpm
     182bd59ea26eb0ea4b93bf880bb97be4 amd64/9.2/RPMS/lib64gdk-pixbuf-gnomecanvas1-0.22.0-2.2.92mdk.amd64.rpm
     d10c1f03a8f14a6604ec6d5f2df9d5f1 amd64/9.2/RPMS/lib64gdk-pixbuf-xlib2-0.22.0-2.2.92mdk.amd64.rpm
     b424932876f00a98b9c4b2722b97473e amd64/9.2/RPMS/lib64gdk-pixbuf2-0.22.0-2.2.92mdk.amd64.rpm
     81dfec9c414854253d54bbac2565dfb1 amd64/9.2/RPMS/lib64gdk-pixbuf2-devel-0.22.0-2.2.92mdk.amd64.rpm
     a7f6afac10617f2171f8a796987ba0fb amd64/9.2/SRPMS/gdk-pixbuf-0.22.0-2.2.92mdk.src.rpm
     a090868933ecbda11441f81abea5f39b amd64/9.2/RPMS/gtk+2.0-2.2.4-2.1.92mdk.amd64.rpm
     e0c151dc3a22cb61f39a3686e0389432 amd64/9.2/RPMS/lib64gdk_pixbuf2.0_0-2.2.4-2.1.92mdk.amd64.rpm
     1e427925b97e0200fe0908fee1516ad7 amd64/9.2/RPMS/lib64gdk_pixbuf2.0_0-devel-2.2.4-2.1.92mdk.amd64.rpm
     74574e4676ce7322f1dcca7c602f56e6 amd64/9.2/RPMS/lib64gtk+-linuxfb-2.0_0-2.2.4-2.1.92mdk.amd64.rpm
     59907a6229374428927b54d2fedeb78c amd64/9.2/RPMS/lib64gtk+-linuxfb-2.0_0-devel-2.2.4-2.1.92mdk.amd64.rpm
     d161e7dab4e9dc17ecc4fa6cbdc24ecb amd64/9.2/RPMS/lib64gtk+-x11-2.0_0-2.2.4-2.1.92mdk.amd64.rpm
     03eb76253ed818631a08fd8474c8a351 amd64/9.2/RPMS/lib64gtk+2.0_0-2.2.4-2.1.92mdk.amd64.rpm
     8990247a796b55339d5b1b1237b06c97 amd64/9.2/RPMS/lib64gtk+2.0_0-devel-2.2.4-2.1.92mdk.amd64.rpm
     5dc4e93ced7632259aaf1278c38dd347 amd64/9.2/SRPMS/gtk+2.0-2.2.4-2.1.92mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandrakesoft for security. You can obtain
     the GPG public key of the Mandrakelinux Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandrakelinux at:

      http://www.mandrakesoft.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFBS0wrmqjQ0CJFipgRAuWYAJ4gJYDFZKu+OqVi2VKMeMRdYHHiWQCgqu42
    IY4viuVUlVroGe8G305OEnc=
    =fwSj
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: jklemenc_at_fnal.gov: "[Full-Disclosure] Re: Windows XP JPEG Buffer Overflow"

    Relevant Pages