From marcdeslauriers@videotron.ca Mon Jan 9 20:29:37 2006 From: Marc Deslauriers To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk Date: Mon, 09 Jan 2006 20:31:35 -0500 Subject: [Full-disclosure] [FLSA-2006:152803] Updated lesstif packages fix security issues --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated lesstif packages fix security issues Advisory ID: FLSA:152803 Issue date: 2006-01-09 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0687 CVE-2004-0688 CVE-2004-0914 CVE-2005-0605 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated lesstif packages that fix flaws in the Xpm image library are now available. lesstif is a free replacement for OSF/Motif(R), which provides a full set of widgets for application development. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: During a source code audit, Chris Evans and others discovered several stack overflow flaws and an integer overflow flaw in the libXpm library used to decode XPM (X PixMap) images. A vulnerable version of this library was found within LessTif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to these issues. An integer overflow flaw was found in libXpm; a vulnerable version of this library is found within LessTif. An attacker could create a malicious XPM file that would execute arbitrary code if opened by a victim using an application linked to LessTif. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0605 to this issue. Users of lesstif are advised to upgrade to these errata packages, which contain backported security patches correcting these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152803 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135081 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/lesstif-0.93.18-2.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/lesstif-0.93.36-3.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/lesstif-0.93.36-3.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/lesstif-devel-0.93.36-3.3.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/lesstif-0.93.36-4.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/lesstif-0.93.36-4.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/lesstif-devel-0.93.36-4.3.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/lesstif-0.93.36-5.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/lesstif-0.93.36-5.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/lesstif-devel-0.93.36-5.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 83e9647ade78338b07abdb618f5d88b0ed12b46b redhat/7.3/updates/i386/lesstif-0.93.18-2.3.legacy.i386.rpm c9dcedad7c1576504e12340753b391181d613714 redhat/7.3/updates/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm 649a15edc64e3847238eb252be93db1583baa1cc redhat/7.3/updates/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm a4a8e6e888234cb0751800c181430db4c7b524e6 redhat/9/updates/i386/lesstif-0.93.36-3.3.legacy.i386.rpm 0804ad3304bf12be7f1ab71a463e980f4ea17975 redhat/9/updates/i386/lesstif-devel-0.93.36-3.3.legacy.i386.rpm 51459c1f41f08654e13b4f22bb76082ed04bbbde redhat/9/updates/SRPMS/lesstif-0.93.36-3.3.legacy.src.rpm 9d8c60a5d5fd55081cd0e7f4ac9c349393c851c8 fedora/1/updates/i386/lesstif-0.93.36-4.3.legacy.i386.rpm 7453bc2247080a99da8cb3aba8adb768191fa30f fedora/1/updates/i386/lesstif-devel-0.93.36-4.3.legacy.i386.rpm 0131e9cd6d912798c1ad0b45a0195fc9b3e6cfe3 fedora/1/updates/SRPMS/lesstif-0.93.36-4.3.legacy.src.rpm 00c8b8ed1cc28659d23e3a786ee12b0bfa1eb10d fedora/2/updates/i386/lesstif-0.93.36-5.3.legacy.i386.rpm 051563d1c29930fc45f3184ff9abbcf92daf1b74 fedora/2/updates/i386/lesstif-devel-0.93.36-5.3.legacy.i386.rpm 2bb39e060197d2bed2f9e7448b9a6e68c72555f5 fedora/2/updates/SRPMS/lesstif-0.93.36-5.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0688 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0914 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0605 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- [ Part 1.2, "OpenPGP digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/