Red Hat Linux Advisory: imlib

12
Red Hat: “Imlib versions prior to 1.9.13 would fall back to loading images via the NetPBM package, which has various problems making it unsuitable for loading untrusted images. Imlib 1.9.13 also fixes various problems in arguments passed to malloc(). These problems may allow attackers to construct images that, when loaded by a viewer using Imlib, could cause crashes or potentially the execution of arbitrary code.


---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          New imlib packages available
Advisory ID:       RHSA-2002:048-14
Issue date:        2002-03-15
Updated on:        2002-05-16
Product:           Red Hat Linux
Keywords:          imlib netpbm untrusted image
Cross references:  
Obsoletes:         
---------------------------------------------------------------------

1. Topic:

Updated imlib packages are now available for Red Hat Linux 6.2, 7,
7.1 and 7.2 which fix potential problems loading untrusted images.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

Red Hat Linux 7.1 - alpha, i386, ia64

Red Hat Linux 7.2 - i386, ia64

3. Problem description:

Imlib versions prior to 1.9.13 would fall back to loading images
via the NetPBM package, which has various problems making it
unsuitable for loading untrusted images. Imlib 1.9.13 also fixes
various problems in arguments passed to malloc().

These problems may allow attackers to construct images that,
when loaded by a viewer using Imlib, could cause crashes 
or potentially the execution of arbitrary code.

Users are advised to upgrade to these errata packages, which
contain Imlib 1.9.13.

The Common Vulnerabilities and Exposures project (cve.mitre.org/) has
assigned the names CAN-2002-0167, CAN-2002-0168 to these issues.

[update May 16 2002]
The previous release of this errata fixed the aforementioned security
problems but had a file descriptor leak and a bug which would cause some
applications (such as the Enlightenment window manager) to hang. These
updated packages fix these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory only contains
the desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):



6. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/imlib-1.9.13-3.6.x.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/imlib-1.9.13-3.6.x.alpha.rpmftp://updates.redhat.com/6.2/en/os/alpha/imlib-cfgeditor-1.9.13-3.6.x.alpha.rpmftp://updates.redhat.com/6.2/en/os/alpha/imlib-devel-1.9.13-3.6.x.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/imlib-1.9.13-3.6.x.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/imlib-cfgeditor-1.9.13-3.6.x.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/imlib-devel-1.9.13-3.6.x.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/imlib-1.9.13-3.6.x.sparc.rpmftp://updates.redhat.com/6.2/en/os/sparc/imlib-cfgeditor-1.9.13-3.6.x.sparc.rpmftp://updates.redhat.com/6.2/en/os/sparc/imlib-devel-1.9.13-3.6.x.sparc.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/imlib-1.9.13-3.7.x.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/imlib-1.9.13-3.7.x.alpha.rpmftp://updates.redhat.com/7.0/en/os/alpha/imlib-cfgeditor-1.9.13-3.7.x.alpha.rpmftp://updates.redhat.com/7.0/en/os/alpha/imlib-devel-1.9.13-3.7.x.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/imlib-1.9.13-3.7.x.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/imlib-cfgeditor-1.9.13-3.7.x.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/imlib-devel-1.9.13-3.7.x.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/imlib-1.9.13-3.7.x.src.rpm

alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/imlib-1.9.13-3.7.x.alpha.rpmftp://updates.redhat.com/7.1/en/os/alpha/imlib-cfgeditor-1.9.13-3.7.x.alpha.rpmftp://updates.redhat.com/7.1/en/os/alpha/imlib-devel-1.9.13-3.7.x.alpha.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/imlib-1.9.13-3.7.x.i386.rpmftp://updates.redhat.com/7.1/en/os/i386/imlib-cfgeditor-1.9.13-3.7.x.i386.rpmftp://updates.redhat.com/7.1/en/os/i386/imlib-devel-1.9.13-3.7.x.i386.rpm

ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/imlib-1.9.13-3.7.x.ia64.rpmftp://updates.redhat.com/7.1/en/os/ia64/imlib-cfgeditor-1.9.13-3.7.x.ia64.rpmftp://updates.redhat.com/7.1/en/os/ia64/imlib-devel-1.9.13-3.7.x.ia64.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/imlib-1.9.13-3.7.x.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/imlib-1.9.13-3.7.x.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/imlib-cfgeditor-1.9.13-3.7.x.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/imlib-devel-1.9.13-3.7.x.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/imlib-1.9.13-3.7.x.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/imlib-cfgeditor-1.9.13-3.7.x.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/imlib-devel-1.9.13-3.7.x.ia64.rpm



7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
cef433f2ca3991ed5d1fcdb438875c87 6.2/en/os/SRPMS/imlib-1.9.13-3.6.x.src.rpm
6c81098c2bd8aecee5925b5c9563059e 6.2/en/os/alpha/imlib-1.9.13-3.6.x.alpha.rpm
ef708eefba53428a89b098918fc1f5c9 6.2/en/os/alpha/imlib-cfgeditor-1.9.13-3.6.x.alpha.rpm
8bd564b9ca3cb563cb91b215d06245e2 6.2/en/os/alpha/imlib-devel-1.9.13-3.6.x.alpha.rpm
00d2f77314756d322c38e41256d8f75a 6.2/en/os/i386/imlib-1.9.13-3.6.x.i386.rpm
56dc49765986868bedb48c63e03115bf 6.2/en/os/i386/imlib-cfgeditor-1.9.13-3.6.x.i386.rpm
502d88a9108b35b7ab5a5192695804cf 6.2/en/os/i386/imlib-devel-1.9.13-3.6.x.i386.rpm
5c0c100d96f3bf90c83e76c21e56578c 6.2/en/os/sparc/imlib-1.9.13-3.6.x.sparc.rpm
3dfe831694c5f86b811215415b4b4323 6.2/en/os/sparc/imlib-cfgeditor-1.9.13-3.6.x.sparc.rpm
6ac62d5fcfe5e0113b91926f6234752f 6.2/en/os/sparc/imlib-devel-1.9.13-3.6.x.sparc.rpm
9a9530aaa5147d4575a9e0dd44e06562 7.0/en/os/SRPMS/imlib-1.9.13-3.7.x.src.rpm
1e998967df3844a776ee3c807d1f1470 7.0/en/os/alpha/imlib-1.9.13-3.7.x.alpha.rpm
1c601a7c31b843a13fc0e62fa5a5b7c7 7.0/en/os/alpha/imlib-cfgeditor-1.9.13-3.7.x.alpha.rpm
ce5c342b5b634ab9396ad4cda5a6cbc5 7.0/en/os/alpha/imlib-devel-1.9.13-3.7.x.alpha.rpm
e9061205148e88c2c538063b2b37ecb5 7.0/en/os/i386/imlib-1.9.13-3.7.x.i386.rpm
0479502bf31bbc04591615665a1f5dc9 7.0/en/os/i386/imlib-cfgeditor-1.9.13-3.7.x.i386.rpm
bf3443746edff3b908233f832484f71d 7.0/en/os/i386/imlib-devel-1.9.13-3.7.x.i386.rpm
9a9530aaa5147d4575a9e0dd44e06562 7.1/en/os/SRPMS/imlib-1.9.13-3.7.x.src.rpm
1e998967df3844a776ee3c807d1f1470 7.1/en/os/alpha/imlib-1.9.13-3.7.x.alpha.rpm
1c601a7c31b843a13fc0e62fa5a5b7c7 7.1/en/os/alpha/imlib-cfgeditor-1.9.13-3.7.x.alpha.rpm
ce5c342b5b634ab9396ad4cda5a6cbc5 7.1/en/os/alpha/imlib-devel-1.9.13-3.7.x.alpha.rpm
e9061205148e88c2c538063b2b37ecb5 7.1/en/os/i386/imlib-1.9.13-3.7.x.i386.rpm
0479502bf31bbc04591615665a1f5dc9 7.1/en/os/i386/imlib-cfgeditor-1.9.13-3.7.x.i386.rpm
bf3443746edff3b908233f832484f71d 7.1/en/os/i386/imlib-devel-1.9.13-3.7.x.i386.rpm
d96b563627807679e21fb1c258d73c49 7.1/en/os/ia64/imlib-1.9.13-3.7.x.ia64.rpm
f3878855b0407210ab275aeda1190b3f 7.1/en/os/ia64/imlib-cfgeditor-1.9.13-3.7.x.ia64.rpm
a2cce110cf38d3385cad931cd727a34e 7.1/en/os/ia64/imlib-devel-1.9.13-3.7.x.ia64.rpm
9a9530aaa5147d4575a9e0dd44e06562 7.2/en/os/SRPMS/imlib-1.9.13-3.7.x.src.rpm
e9061205148e88c2c538063b2b37ecb5 7.2/en/os/i386/imlib-1.9.13-3.7.x.i386.rpm
0479502bf31bbc04591615665a1f5dc9 7.2/en/os/i386/imlib-cfgeditor-1.9.13-3.7.x.i386.rpm
bf3443746edff3b908233f832484f71d 7.2/en/os/i386/imlib-devel-1.9.13-3.7.x.i386.rpm
d96b563627807679e21fb1c258d73c49 7.2/en/os/ia64/imlib-1.9.13-3.7.x.ia64.rpm
f3878855b0407210ab275aeda1190b3f 7.2/en/os/ia64/imlib-cfgeditor-1.9.13-3.7.x.ia64.rpm
a2cce110cf38d3385cad931cd727a34e 7.2/en/os/ia64/imlib-devel-1.9.13-3.7.x.ia64.rpm
 

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0167http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0168

The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name(s)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0167 CAN-2002-0168



Copyright(c) 2000, 2001, 2002 Red Hat, Inc.

Category:

  • Security