[CLA-2004:866] Conectiva Security Announcement - qt3

From: Conectiva Updates (secure_at_conectiva.com.br)
Date: 09/22/04

  • Next message: Mike Ely: "Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes"
    Date: Wed, 22 Sep 2004 11:01:41 -0300
    To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - --------------------------------------------------------------------------
    CONECTIVA LINUX SECURITY ANNOUNCEMENT
    - --------------------------------------------------------------------------

    PACKAGE : qt3
    SUMMARY : Fixes for image loader vulnerabilities
    DATE : 2004-09-22 10:55:00
    ID : CLA-2004:866
    RELEVANT
    RELEASES : 9, 10

    - -------------------------------------------------------------------------

    DESCRIPTION
     QT[1] is a cross-platform GUI toolkit mostly used by KDE.
     
     Chris Evans found[2] a heap overflow vulnerability[3] in the QT
     library when handling 8-bit RLE encoded BMP files. An attacker could
     use this to compromise the account used to view the specially crafted
     image. Further investigations found similar vulnerabilities in
     XPM[4], GIF[5] and JPEG image handlers.

    SOLUTION
     It is recommended that all qt users upgrade their packages.
     
     IMPORTANT: all applications linked against libqt must be restarted
     after the upgrade in order to close the vulnerabilities.
     
     
     REFERENCES
     1.http://www.qt.org
     2.http://marc.theaimsgroup.com/?l=bugtraq&m=109295309008309&w=2
     3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
     4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
     5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693

    UPDATED PACKAGES
    ftp://atualizacoes.conectiva.com.br/10/SRPMS/qt3-3.2.3-55983U10_1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-assistant-lib-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-database-plugin-mysql-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-database-plugin-odbc-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-database-plugin-pgsql-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-designer-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-designer-lib-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-devel-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-devel-static-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-doc-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-examples-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-linguist-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-tutorial-3.2.3-55983U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/SRPMS/qt3-3.1.1-27866U90_1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-assistant-lib-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-database-plugin-mysql-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-database-plugin-odbc-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-database-plugin-pgsql-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-designer-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-designer-lib-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-devel-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-devel-static-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-doc-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-examples-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-linguist-3.1.1-27866U90_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-tutorial-3.1.1-27866U90_1cl.i386.rpm

    ADDITIONAL INSTRUCTIONS
     The apt tool can be used to perform RPM packages upgrades:

     - run: apt-get update
     - after that, execute: apt-get upgrade

     Detailed instructions regarding the use of apt and upgrade examples
     can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

    - -------------------------------------------------------------------------
    All packages are signed with Conectiva's GPG key. The key and instructions
    on how to import it can be found at
    http://distro.conectiva.com.br/seguranca/chave/?idioma=en
    Instructions on how to check the signatures of the RPM packages can be
    found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

    - -------------------------------------------------------------------------
    All our advisories and generic update instructions can be viewed at
    http://distro.conectiva.com.br/atualizacoes/?idioma=en

    - -------------------------------------------------------------------------
    Copyright (c) 2004 Conectiva Inc.
    http://www.conectiva.com

    - -------------------------------------------------------------------------
    subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
    unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQFBUYXE42jd0JmAcZARAtUDAKC9TfO0xsyVxgjIwcuQk0a36iZpDwCfTqKb
    +PK1D3jUXEGD3/BeF9LODks=
    =CjCU
    -----END PGP SIGNATURE-----


  • Next message: Mike Ely: "Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes"

    Relevant Pages