Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2005 > Fedora - Four Update Notifications

March 2005

Fedora - Four Update Notifications

ID: 00258
Ref: 237/05
Date: 31 March 2005:15:31:51
Version: 1
Title: Fedora - Four Update Notifications
Abstract:
Vendors affected: Fedora
Operating systems affected: Fedora
Applications affected: Fedora

Title
=====

Fedora - Four Update Notifications:
1. Fedora Core 3 Update: ImageMagick-6.2.0.7-2.fc3 [FEDORA-2005-235]
2. Fedora Core 3 Update: gdk-pixbuf-0.22.0-16.fc3 [FEDORA-2005-266]
3. Fedora Core 3 Update: gtk2-2.4.14-3.fc3 [FEDORA-2005-268]
4. Fedora Core 3 Update: telnet-0.17-32.FC3.2 [FEDORA-2005-274]


Detail
======

Update Notification summaries:

1. A format string bug was found in the way ImageMagick handles filenames.
Andrei Nigmatulin discovered a heap based buffer overflow flaw in the
ImageMagick image handler.

2. David Costanzo found a bug in the way gdk-pixbuf processes BMP images.
It is possible that a specially crafted BMP image could cause a denial
of service attack in applications linked against gdk-pixbuf

3. David Costanzo found a bug in the way GTK+ processes BMP images.
It is possible that a specially crafted BMP image could cause a denial
of service attack in applications linked against GTK+.

4. Two buffer overflow flaws were discovered in the way the telnet client
handles messages from a server.


Update notification content follows:


1.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-235
2005-03-30
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name : ImageMagick
Version : 6.2.0.7
Release : 2.fc3
Summary : An X application for displaying and manipulating images.
Description :
ImageMagick(TM) is an image display and manipulation tool for the X
Window System. ImageMagick can read and write JPEG, TIFF, PNM, GIF,
and Photo CD image formats. It can resize, rotate, sharpen, color
reduce, or add special effects to an image, and when finished you can
either save the completed work in the original format or a different
one. ImageMagick also includes command line programs for creating
animated or transparent .gifs, creating composite images, creating
thumbnail images, and more.

ImageMagick is one of your choices if you need a program to manipulate
and dis play images. If you want to develop your own applications
which use ImageMagick code or APIs, you need to install
ImageMagick-devel as well.

- ---------------------------------------------------------------------
Update Information:

Andrei Nigmatulin discovered a heap based buffer overflow flaw in the
ImageMagick image handler. An attacker could create a carefully crafted
Photoshop Document (PSD) image in such a way that it would cause
ImageMagick to execute arbitrary code when processing the image. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0005 to this issue.

A format string bug was found in the way ImageMagick handles filenames.
An attacker could execute arbitrary code in a victims machine if they
are able to trick the victim into opening a file with a specially
crafted name. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0397 to this issue.

- ---------------------------------------------------------------------
* Wed Mar 16 2005 - 6.2.0.7-2.fc3

- - Update to 6.2.0 to fix a number of security issues:
- Drop a lot of upstreamed patches


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

dbbd0c32799bc32658214273037f1942
SRPMS/ImageMagick-6.2.0.7-2.fc3.src.rpm
39ecc49bcdfda64dd2cfaac13b332f42
x86_64/ImageMagick-6.2.0.7-2.fc3.x86_64.rpm
908f8c2f25568cf2340db0a6ae7c5b57 x86_64/ImageMagick-
devel-6.2.0.7-2.fc3.x86_64.rpm
7f5112e7f05c9d4a448f5edeb42b153c x86_64/ImageMagick-
perl-6.2.0.7-2.fc3.x86_64.rpm
039af81133349c933d0de1e1f61f3ba1 x86_64/ImageMagick-c+
+-6.2.0.7-2.fc3.x86_64.rpm
455c2286d9f1ed1e778a5c5e905053cb x86_64/ImageMagick-c++-
devel-6.2.0.7-2.fc3.x86_64.rpm
fe8a3812e6c3fbc8f5016e6eb1d2271a x86_64/debug/ImageMagick-
debuginfo-6.2.0.7-2.fc3.x86_64.rpm
1f8387ff55eee8116b53309fc93e28db
x86_64/ImageMagick-6.2.0.7-2.fc3.i386.rpm
214aee8a27780dee6e5c4a5b8b58ec0e x86_64/ImageMagick-c+
+-6.2.0.7-2.fc3.i386.rpm
1f8387ff55eee8116b53309fc93e28db
i386/ImageMagick-6.2.0.7-2.fc3.i386.rpm
a97fb99dfbcddc4391a351a51d544f14 i386/ImageMagick-
devel-6.2.0.7-2.fc3.i386.rpm
12ceecfa8d7fd51e9e7a0eaf92c2abcf i386/ImageMagick-
perl-6.2.0.7-2.fc3.i386.rpm
214aee8a27780dee6e5c4a5b8b58ec0e i386/ImageMagick-c+
+-6.2.0.7-2.fc3.i386.rpm
1ed8f7ca926e4fd31500f7ee8f767e72 i386/ImageMagick-c++-
devel-6.2.0.7-2.fc3.i386.rpm
1f8756e8c6b5405dad07396eb34bf064 i386/debug/ImageMagick-
debuginfo-6.2.0.7-2.fc3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------


- --
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list



2.



- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-266
2005-03-30
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name : gdk-pixbuf
Version : 0.22.0
Release : 16.fc3
Summary : An image loading library used with GNOME.
Description :
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. The GdkPixBuf library provides image
loading facilities, the rendering of a GdkPixBuf into various formats
(drawables or GdkRGB buffers), and a cache interface.

- ---------------------------------------------------------------------
Update Information:
David Costanzo found a bug in the way gdk-pixbuf processes BMP images.
It is possible that a specially crafted BMP image could cause a denial
of service attack in applications linked against gdk-pixbuf.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0891 to this issue.

- ---------------------------------------------------------------------
* Mon Mar 28 2005 Matthias Clasen - 1:0.22.0-16.fc3

- - Fix a double free in the bmp loader


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

140402ef3823af459027e7eec1fb4a31 SRPMS/gdk-pixbuf-0.22.0-16.fc3.src.rpm
46732d3473a71aa4ab90dd456f0e957f x86_64/gdk-
pixbuf-0.22.0-16.fc3.x86_64.rpm
14639a9be1a8470ef3ebf5f8ca6951fa x86_64/gdk-pixbuf-
devel-0.22.0-16.fc3.x86_64.rpm
d35d6f6ff840efced466d44e2556b556 x86_64/gdk-pixbuf-
gnome-0.22.0-16.fc3.x86_64.rpm
91cb66921118ac3187e2a5234d33672a x86_64/debug/gdk-pixbuf-
debuginfo-0.22.0-16.fc3.x86_64.rpm
c226b3c99d9f139883015b249621294f x86_64/gdk-
pixbuf-0.22.0-16.fc3.i386.rpm
c226b3c99d9f139883015b249621294f i386/gdk-pixbuf-0.22.0-16.fc3.i386.rpm
7a7790402d9d477f7f0f47a74259bfa4 i386/gdk-pixbuf-
devel-0.22.0-16.fc3.i386.rpm
4e8f98e1e520d1f9e2b7b1fa98c06119 i386/gdk-pixbuf-
gnome-0.22.0-16.fc3.i386.rpm
a3b06be3f9bd8ec74588dc6b95b637a9 i386/debug/gdk-pixbuf-
debuginfo-0.22.0-16.fc3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------


- --
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list



3.



- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-268
2005-03-30
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name : gtk2
Version : 2.4.14
Release : 3.fc3
Summary : The GIMP ToolKit (GTK+), a library for creating GUIs for
X.
Description :
GTK+ is a multi-platform toolkit for creating graphical user
interfaces. Offering a complete set of widgets, GTK+ is suitable for
projects ranging from small one-off tools to complete application
suites.

- ---------------------------------------------------------------------
Update Information:

David Costanzo found a bug in the way GTK+ processes BMP images.
It is possible that a specially crafted BMP image could cause a denial
of service attack in applications linked against GTK+.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0891 to this issue.

- ---------------------------------------------------------------------
* Mon Mar 28 2005 Matthias Clasen - 2.4.14-3.fc3

- - Fix a double free in the bmp loader


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

8c9c1a539e15629f204038597c57e75a SRPMS/gtk2-2.4.14-3.fc3.src.rpm
6491f2ebf95a79a0fafdd90256033189 x86_64/gtk2-2.4.14-3.fc3.x86_64.rpm
7facd80dc1c9ffc2e1745cb1505096c0 x86_64/gtk2-
devel-2.4.14-3.fc3.x86_64.rpm
922ad9d8b24a4a580bca1f3461c1fcde x86_64/debug/gtk2-
debuginfo-2.4.14-3.fc3.x86_64.rpm
9351093394765c34bc5a6b28e8db301b x86_64/gtk2-2.4.14-3.fc3.i386.rpm
9351093394765c34bc5a6b28e8db301b i386/gtk2-2.4.14-3.fc3.i386.rpm
abb369e8b7dbcbe785a23d9cf52ca2a0 i386/gtk2-devel-2.4.14-3.fc3.i386.rpm
816116449734868587e069851dc57a62 i386/debug/gtk2-
debuginfo-2.4.14-3.fc3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------


- --
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list



4.



- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-274
2005-03-30
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name : telnet
Version : 0.17
Release : 32.FC3.2
Summary : The client program for the telnet remote login protocol.
Description :
Telnet is a popular protocol for logging into remote systems over the
Internet. The telnet package provides a command line telnet client.

- ---------------------------------------------------------------------
Update Information:

Two buffer overflow flaws were discovered in the way the telnet client
handles messages from a server. An attacker may be able to execute
arbitrary code on a victim's machine if the victim can be tricked into
connecting to a malicious telnet server. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468
and CAN-2005-0469 to these issues.


Red Hat would like to thank iDEFENSE for their responsible disclosure of
this issue.
- ---------------------------------------------------------------------
* Thu Mar 17 2005 Harald Hoyer - 1:0.17-32.FC3.2

- - fixed CAN-2005-468 and CAN-2005-469

* Thu Jan 13 2005 Jason Vas Dias - 1:0.17-31

- - bug 143929 / 145004 : fix race condition in telnetd on wtmp lock
- - when cleanup() is entered from main process and in signal
- - handler


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

89834e05dfaaf87030241f12a8d43622 SRPMS/telnet-0.17-32.FC3.2.src.rpm
9ffe815c3d82132847f6f243662d8689 x86_64/telnet-0.17-32.FC3.2.x86_64.rpm
70c70de3253e43c621e1bd753ad85ac8 x86_64/telnet-server-0.17-32.FC3.2.x86_64.rpm
299a0a1ddc2f575b14509757a8e352fa x86_64/debug/telnet-debuginfo-0.17-32.FC3.2.x86_64.rpm
317a655b172288cfc0615b1a06fd2e07 i386/telnet-0.17-32.FC3.2.i386.rpm
a51075465fe35429b26f83df4e1888b5 i386/telnet-server-0.17-32.FC3.2.i386.rpm
0f90b3b223e4a5286882f29d2ddc39dc i386/debug/telnet-debuginfo-0.17-32.FC3.2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------

- --
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list



  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |