[Full-Disclosure] MDKSA-2004:137 - Updated libxpm4 packages fix libXpm vulnerabilities

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 11/23/04

  • Next message: Ron DuFresne: "Re: [Full-Disclosure] How secure is PHP ?"
    To: full-disclosure@lists.netsys.com
    Date: 23 Nov 2004 04:19:11 -0000
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                     Mandrakelinux Security Update Advisory
     _______________________________________________________________________

     Package name: libxpm4
     Advisory ID: MDKSA-2004:137
     Date: November 22nd, 2004

     Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
     ______________________________________________________________________

     Problem Description:

     The XPM library which is part of the XFree86/XOrg project is used
     by several GUI applications to process XPM image files.
     
     A source code review of the XPM library, done by Thomas Biege of the
     SuSE Security-Team revealed several different kinds of bugs. These bugs
     include integer overflows, out-of-bounds memory access, shell command
     execution, path traversal, and endless loops.
     
     These bugs can be exploited by remote and/or local attackers to gain
     access to the system or to escalate their local privileges, by using a
     specially crafted xpm image.
     
     Updated packages are patched to correct all these issues.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0914
     ______________________________________________________________________

     Updated Packages:
      
     Mandrakelinux 10.0:
     6b3453de798acc7020f5f53f3e160673 10.0/RPMS/libxpm4-3.4k-27.2.100mdk.i586.rpm
     0b26896ede6846a74aab29ff67bb4eb6 10.0/RPMS/libxpm4-devel-3.4k-27.2.100mdk.i586.rpm
     37b8b1901d808934e8e1084264bde60b 10.0/SRPMS/xpm-3.4k-27.2.100mdk.src.rpm

     Mandrakelinux 10.0/AMD64:
     ab8ec33b42a021ba05aac29b26b91cb3 amd64/10.0/RPMS/lib64xpm4-3.4k-27.2.100mdk.amd64.rpm
     fecd9804be4b8c16f2bcda27c041d13a amd64/10.0/RPMS/lib64xpm4-devel-3.4k-27.2.100mdk.amd64.rpm
     37b8b1901d808934e8e1084264bde60b amd64/10.0/SRPMS/xpm-3.4k-27.2.100mdk.src.rpm

     Mandrakelinux 10.1:
     492e768f18555e1d6096e9061c356ebd 10.1/RPMS/libxpm4-3.4k-28.1.101mdk.i586.rpm
     a84d8584c9c58e08d6e01c52fc6a3de1 10.1/RPMS/libxpm4-devel-3.4k-28.1.101mdk.i586.rpm
     0e2425dfa7b33b9446661cf10c2f3d2d 10.1/SRPMS/xpm-3.4k-28.1.101mdk.src.rpm

     Mandrakelinux 10.1/X86_64:
     956f34afe9c71f8ed439722a8edee292 x86_64/10.1/RPMS/lib64xpm4-3.4k-28.1.101mdk.x86_64.rpm
     d8941408e789d6dc6b70073f1fe7b689 x86_64/10.1/RPMS/lib64xpm4-devel-3.4k-28.1.101mdk.x86_64.rpm
     0e2425dfa7b33b9446661cf10c2f3d2d x86_64/10.1/SRPMS/xpm-3.4k-28.1.101mdk.src.rpm

     Corporate Server 2.1:
     8af4abbd31cc4fd1ba232ed697664b16 corporate/2.1/RPMS/libxpm4-3.4k-21.2.C21mdk.i586.rpm
     b45e47efe6bc3d1de784e72a10319b24 corporate/2.1/RPMS/libxpm4-devel-3.4k-21.2.C21mdk.i586.rpm
     fbb74336950e487af490ac5748a81d8a corporate/2.1/SRPMS/xpm-3.4k-21.2.C21mdk.src.rpm

     Corporate Server 2.1/x86_64:
     bfde0d277eb562d59883803b3b81f2ed x86_64/corporate/2.1/RPMS/libxpm4-3.4k-21.2.C21mdk.x86_64.rpm
     29248a40d731e6379fa6f18c4ec2e41c x86_64/corporate/2.1/RPMS/libxpm4-devel-3.4k-21.2.C21mdk.x86_64.rpm
     fbb74336950e487af490ac5748a81d8a x86_64/corporate/2.1/SRPMS/xpm-3.4k-21.2.C21mdk.src.rpm

     Mandrakelinux 9.2:
     2a7e4bacd58df0abe0b6c379c491ba19 9.2/RPMS/libxpm4-3.4k-27.2.92mdk.i586.rpm
     fc1495046860e6b6a1c50db6b8584613 9.2/RPMS/libxpm4-devel-3.4k-27.2.92mdk.i586.rpm
     52842751cd00ab528d5195ee073183dd 9.2/SRPMS/xpm-3.4k-27.2.92mdk.src.rpm

     Mandrakelinux 9.2/AMD64:
     c6072becb352417e46e8f4c0f0c60448 amd64/9.2/RPMS/lib64xpm4-3.4k-27.2.92mdk.amd64.rpm
     9afa723c45efcfec02ae432c1642fb66 amd64/9.2/RPMS/lib64xpm4-devel-3.4k-27.2.92mdk.amd64.rpm
     52842751cd00ab528d5195ee073183dd amd64/9.2/SRPMS/xpm-3.4k-27.2.92mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandrakesoft for security. You can obtain
     the GPG public key of the Mandrakelinux Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandrakelinux at:

      http://www.mandrakesoft.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFBoro/mqjQ0CJFipgRAq9/AKCqr4Ajy/U5AtWrjeCLiTzL01N0bACg7ZP9
    cuNroP3+yd7y3eD9LujZ47U=
    =Mmol
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Ron DuFresne: "Re: [Full-Disclosure] How secure is PHP ?"

    Relevant Pages