From security@linux-mandrake.com Thu Apr 25 23:43:36 2002 From: Mandrake Linux Security Team To: bugtraq@securityfocus.com Date: 25 Apr 2002 22:25:17 -0000 Subject: MDKSA-2002:029 - imlib update -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ Mandrake Linux Security Update Advisory ________________________________________________________________________ Package name: imlib Advisory ID: MDKSA-2002:028 Date: April 25th, 2002 Affected versions: 7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1 ________________________________________________________________________ Problem Description: Previous versions of imlib, prior to 1.9.13, would fall back to the NetPBM library which is not suitable for loading untrusted images due to various problem in it's code. The new imlib also fixes some problems with arguments passed to malloc(). These problems could allow attackers to construct images that could cause crashes or, potentially, the execution of arbitrary code when said images are loaded by a viewer that uses imlib. Thanks to Alan Cox and Al Viro for discovering the problems. ________________________________________________________________________ References: http://online.securityfocus.com/bid/4336 http://online.securityfocus.com/bid/4339 ________________________________________________________________________ Updated Packages: Linux-Mandrake 7.1: fe82fcada2f3d71a562b0551594192ac 7.1/RPMS/imlib-1.9.13-2.5mdk.i586.rpm a4aa27f231f94ea586c71f538af32f04 7.1/RPMS/imlib-cfgeditor-1.9.13-2.5mdk.i586.rpm f195bf7954cd7efe2617fba434a8ed93 7.1/RPMS/imlib-devel-1.9.13-2.5mdk.i586.rpm b052c14ed00cc28096a92f9070d3e096 7.1/SRPMS/imlib-1.9.13-2.5mdk.src.rpm Linux-Mandrake 7.2: 4e7046816f14ea82116bbc1afb9b59e2 7.2/RPMS/imlib-1.9.13-2.4mdk.i586.rpm 376d6333b6ec112499240c8d0f13fb36 7.2/RPMS/imlib-cfgeditor-1.9.13-2.4mdk.i586.rpm 3535da52444176f3cb3f1ef42bce8d72 7.2/RPMS/imlib-devel-1.9.13-2.4mdk.i586.rpm 858f5bd0f2612c370b89aa35b22845f0 7.2/SRPMS/imlib-1.9.13-2.4mdk.src.rpm Mandrake Linux 8.0: 6214439510523b121714230529ddcc99 8.0/RPMS/imlib-1.9.13-2.3mdk.i586.rpm 4435d0efbcf6f7284b865c11c2a085f0 8.0/RPMS/imlib-cfgeditor-1.9.13-2.3mdk.i586.rpm c62d8f27629120f6ee63890fb50382f9 8.0/RPMS/libimlib1-1.9.13-2.3mdk.i586.rpm 1de239cf58fa591b2fbf41464162b911 8.0/RPMS/libimlib1-devel-1.9.13-2.3mdk.i586.rpm f3f793d3bd22fe535ec42bae82d005f3 8.0/SRPMS/imlib-1.9.13-2.3mdk.src.rpm Mandrake Linux 8.0/ppc: bdd699794efd03798ade44013e7dd81a ppc/8.0/RPMS/imlib-1.9.13-2.3mdk.ppc.rpm 4244d7f2f5c5d201a8f2528fad06e19f ppc/8.0/RPMS/imlib-cfgeditor-1.9.13-2.3mdk.ppc.rpm 444762d5d1e1efe4f04d7f3935c3f90f ppc/8.0/RPMS/libimlib1-1.9.13-2.3mdk.ppc.rpm d01d60692e89c6548921e5e45df24b45 ppc/8.0/RPMS/libimlib1-devel-1.9.13-2.3mdk.ppc.rpm f3f793d3bd22fe535ec42bae82d005f3 ppc/8.0/SRPMS/imlib-1.9.13-2.3mdk.src.rpm Mandrake Linux 8.1: d6c94b82b7b1e58cb0563bb660fc1ea2 8.1/RPMS/imlib-1.9.13-2.2mdk.i586.rpm b07e7add5625ab037b6280fe7bbc699f 8.1/RPMS/imlib-cfgeditor-1.9.13-2.2mdk.i586.rpm 14fd63429b7ec31cc5c9b11698999624 8.1/RPMS/libimlib1-1.9.13-2.2mdk.i586.rpm 077f49ab8ba83c7c05211a04426d43b3 8.1/RPMS/libimlib1-devel-1.9.13-2.2mdk.i586.rpm 28d2e4164472fea78ed47ccb9b50f9d2 8.1/SRPMS/imlib-1.9.13-2.2mdk.src.rpm Mandrake Linux 8.1/ia64: 54161570f5b4ee991a31782405f580a1 ia64/8.1/RPMS/imlib-1.9.13-2.2mdk.ia64.rpm bfe7a2b9eb4420f60cd8a8545e3ef34c ia64/8.1/RPMS/imlib-cfgeditor-1.9.13-2.2mdk.ia64.rpm 64d932435e1ac3f53ec8adede7a96824 ia64/8.1/RPMS/libimlib1-1.9.13-2.2mdk.ia64.rpm 163d8b38a5a46094d5c903c5c2cd8590 ia64/8.1/RPMS/libimlib1-devel-1.9.13-2.2mdk.ia64.rpm 28d2e4164472fea78ed47ccb9b50f9d2 ia64/8.1/SRPMS/imlib-1.9.13-2.2mdk.src.rpm Mandrake Linux 8.2: 144d8deeea93b0eb3e4566733093d8e8 8.2/RPMS/imlib-1.9.13-2.1mdk.i586.rpm 6f032201e345f1afadcf0c6485bdaeb9 8.2/RPMS/imlib-cfgeditor-1.9.13-2.1mdk.i586.rpm 49ca7d2fae68f8df49c23df9db50f71c 8.2/RPMS/libimlib1-1.9.13-2.1mdk.i586.rpm 08820637df4ac6747d925a031b82e226 8.2/RPMS/libimlib1-devel-1.9.13-2.1mdk.i586.rpm 74ae164faf005e3f0ee66d9361640b5b 8.2/SRPMS/imlib-1.9.13-2.1mdk.src.rpm Mandrake Linux 8.2/ppc: 3f5b3afe7447721b62cc9672ca4ce7ec ppc/8.2/RPMS/imlib-1.9.13-2.1mdk.ppc.rpm ac29822651c1a9be78456a683b7a6c2d ppc/8.2/RPMS/imlib-cfgeditor-1.9.13-2.1mdk.ppc.rpm b0e6e0e4740e527dba83fe8f455c4f29 ppc/8.2/RPMS/libimlib1-1.9.13-2.1mdk.ppc.rpm ea3af5a8bf76b78be7fd9d54d0c49db7 ppc/8.2/RPMS/libimlib1-devel-1.9.13-2.1mdk.ppc.rpm 74ae164faf005e3f0ee66d9361640b5b ppc/8.2/SRPMS/imlib-1.9.13-2.1mdk.src.rpm Corporate Server 1.0.1: fe82fcada2f3d71a562b0551594192ac 1.0.1/RPMS/imlib-1.9.13-2.5mdk.i586.rpm a4aa27f231f94ea586c71f538af32f04 1.0.1/RPMS/imlib-cfgeditor-1.9.13-2.5mdk.i586.rpm f195bf7954cd7efe2617fba434a8ed93 1.0.1/RPMS/imlib-devel-1.9.13-2.5mdk.i586.rpm b052c14ed00cc28096a92f9070d3e096 1.0.1/SRPMS/imlib-1.9.13-2.5mdk.src.rpm ________________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ________________________________________________________________________ To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security@linux-mandrake.com ________________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn 7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77 9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s +A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl 3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX lA== =0ahQ - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8yIJNmqjQ0CJFipgRAgSrAJ47oRGNOYuCLj0ushwJ/ugRfnG6AgCfZaEK tVQVZDfpnRdMD4de9MMxoBE= =CtWm -----END PGP SIGNATURE-----