From security@mandriva.com Wed Aug 10 15:23:07 2005 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Wed, 10 Aug 2005 13:18:39 -0600 Subject: [Full-disclosure] MDKSA-2005:133 - Updated netpbm packages fix temporary file vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: netpbm Advisory ID: MDKSA-2005:133 Date: August 9th, 2005 Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate Server 2.1 ______________________________________________________________________ Problem Description: Max Vozeler discovered that pstopnm, a part of the netpbm graphics utility suite, would call the GhostScript interpreter on untrusted PostScript files without using the -dSAFER option when converting a PostScript file into a PBM, PGM, or PNM file. This could result in the execution of arbitrary commands with the privileges of the user running pstopnm if they could be convinced to try to convert a malicious PostScript file. The updated packages have been patched to correct this problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2471 http://secunia.com/advisories/16184/ ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 7bb710a56342cc78170bb74b37f512b0 10.0/RPMS/libnetpbm9-9.24-8.2.100mdk.i586.rpm 7f820a3e8fcfaa705c0164cfd1b7a5c0 10.0/RPMS/libnetpbm9-devel-9.24-8.2.100mdk.i586.rpm 3de55337645f009ed8e951b3e97b9507 10.0/RPMS/libnetpbm9-static-devel-9.24-8.2.100mdk.i586.rpm d32febe43b6b19ca7a3189b41de6d53c 10.0/RPMS/netpbm-9.24-8.2.100mdk.i586.rpm 7d2bdf5636955adc39bfe13c4c581858 10.0/SRPMS/netpbm-9.24-8.2.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 04a7546fef5edfa604cdfd1e3dff1bc2 amd64/10.0/RPMS/lib64netpbm9-9.24-8.2.100mdk.amd64.rpm f89f7f330ecb8dd8e9a536afdcfb56f0 amd64/10.0/RPMS/lib64netpbm9-devel-9.24-8.2.100mdk.amd64.rpm 0401393af2d5b3a933b487a1e00e3e43 amd64/10.0/RPMS/lib64netpbm9-static-devel-9.24-8.2.100mdk.amd64.rpm 2400c52abc020a3ac9883bc02dc77f36 amd64/10.0/RPMS/netpbm-9.24-8.2.100mdk.amd64.rpm 7d2bdf5636955adc39bfe13c4c581858 amd64/10.0/SRPMS/netpbm-9.24-8.2.100mdk.src.rpm Mandrakelinux 10.1: 0c7ca6675e4a1502dc450d8b31076753 10.1/RPMS/libnetpbm9-9.24-8.1.101mdk.i586.rpm ac327d0433d6c672e382a2c1f4dc8667 10.1/RPMS/libnetpbm9-devel-9.24-8.1.101mdk.i586.rpm dee01cf52709fbbc65f3a0c21d4573d9 10.1/RPMS/libnetpbm9-static-devel-9.24-8.1.101mdk.i586.rpm 6c9bedecf233accd53f123f3c2a26aec 10.1/RPMS/netpbm-9.24-8.1.101mdk.i586.rpm 8722f08f1813fb796d7b5fa8576f6045 10.1/SRPMS/netpbm-9.24-8.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: 9b99ec325088181a931983f622c7649f x86_64/10.1/RPMS/lib64netpbm9-9.24-8.1.101mdk.x86_64.rpm 119d4f558fddb4bafee84dc5da3f0c8a x86_64/10.1/RPMS/lib64netpbm9-devel-9.24-8.1.101mdk.x86_64.rpm 13e9911031dc3d8b23da2157451f89a8 x86_64/10.1/RPMS/lib64netpbm9-static-devel-9.24-8.1.101mdk.x86_64.rpm 6637e848b29abe54142155f66ac79fb9 x86_64/10.1/RPMS/netpbm-9.24-8.1.101mdk.x86_64.rpm 8722f08f1813fb796d7b5fa8576f6045 x86_64/10.1/SRPMS/netpbm-9.24-8.1.101mdk.src.rpm Mandrakelinux 10.2: 4db608229fad2d6014ea506ad775e9f8 10.2/RPMS/libnetpbm10-10.26-2.1.102mdk.i586.rpm 4fd7e7857c692209d4c94a8a5ebe84cc 10.2/RPMS/libnetpbm10-devel-10.26-2.1.102mdk.i586.rpm 4521de30a4e9ee995200ae0c1443132b 10.2/RPMS/libnetpbm10-static-devel-10.26-2.1.102mdk.i586.rpm a3b5efc89e18489ef2cd181b20a1dc1b 10.2/RPMS/netpbm-10.26-2.1.102mdk.i586.rpm 52d2d1a460d07b33fbe7f6204d1cf51f 10.2/SRPMS/netpbm-10.26-2.1.102mdk.src.rpm Mandrakelinux 10.2/X86_64: 37912f8c31bd31b979bfdb69ad357837 x86_64/10.2/RPMS/lib64netpbm10-10.26-2.1.102mdk.x86_64.rpm 928a397b673e96ed0fecdd62878aef84 x86_64/10.2/RPMS/lib64netpbm10-devel-10.26-2.1.102mdk.x86_64.rpm b74c96495461b1406af317e91932500e x86_64/10.2/RPMS/lib64netpbm10-static-devel-10.26-2.1.102mdk.x86_64.rpm 30ae5cd7a9e65594e30cf876f352fda6 x86_64/10.2/RPMS/netpbm-10.26-2.1.102mdk.x86_64.rpm 52d2d1a460d07b33fbe7f6204d1cf51f x86_64/10.2/SRPMS/netpbm-10.26-2.1.102mdk.src.rpm Corporate Server 2.1: f42bccdec9b6f8a432191730b85d186c corporate/2.1/RPMS/libnetpbm9-9.24-4.4.C21mdk.i586.rpm 3e877555a0533572d788a4d47694bccd corporate/2.1/RPMS/libnetpbm9-devel-9.24-4.4.C21mdk.i586.rpm 57dcadc0b0d94243894bccdaf17acf8a corporate/2.1/RPMS/libnetpbm9-static-devel-9.24-4.4.C21mdk.i586.rpm 1fa1e01964db5302ddc773c2be67ca6b corporate/2.1/RPMS/netpbm-9.24-4.4.C21mdk.i586.rpm 511aeb9ce3bdb6429e8a8ce06b873b6b corporate/2.1/SRPMS/netpbm-9.24-4.4.C21mdk.src.rpm Corporate Server 2.1/X86_64: 6dfd39d7a3b0db15b273b2b7b7db01c4 x86_64/corporate/2.1/RPMS/libnetpbm9-9.24-4.4.C21mdk.x86_64.rpm 50c24455f7b43e1f7fe7581a12655c39 x86_64/corporate/2.1/RPMS/libnetpbm9-devel-9.24-4.4.C21mdk.x86_64.rpm b947dcdb4226298cb90c644cce9dbd4c x86_64/corporate/2.1/RPMS/libnetpbm9-static-devel-9.24-4.4.C21mdk.x86_64.rpm e1ace7d529c4adc3cc4e64d116467e0b x86_64/corporate/2.1/RPMS/netpbm-9.24-4.4.C21mdk.x86_64.rpm 511aeb9ce3bdb6429e8a8ce06b873b6b x86_64/corporate/2.1/SRPMS/netpbm-9.24-4.4.C21mdk.src.rpm Corporate 3.0: b086f97cc2bad2023fd2446135e00def corporate/3.0/RPMS/libnetpbm9-9.24-8.2.C30mdk.i586.rpm 768f2b273391c3cb4d39790ac91b40c4 corporate/3.0/RPMS/libnetpbm9-devel-9.24-8.2.C30mdk.i586.rpm 7f6eb96aef5065be7370f1954b252dee corporate/3.0/RPMS/libnetpbm9-static-devel-9.24-8.2.C30mdk.i586.rpm 1b2c5cb64efceac8a39d1d84aa362f2d corporate/3.0/RPMS/netpbm-9.24-8.2.C30mdk.i586.rpm 435e2548bed0da6bc4519910e3bae83f corporate/3.0/SRPMS/netpbm-9.24-8.2.C30mdk.src.rpm Corporate 3.0/X86_64: c6fcd7a90094eeae7e67ee56d71d3e22 x86_64/corporate/3.0/RPMS/lib64netpbm9-9.24-8.2.C30mdk.x86_64.rpm a8d06987e1aacb0c9ab174082bc024a0 x86_64/corporate/3.0/RPMS/lib64netpbm9-devel-9.24-8.2.C30mdk.x86_64.rpm 2653e371af14609096eb2ed9ef7e5963 x86_64/corporate/3.0/RPMS/lib64netpbm9-static-devel-9.24-8.2.C30mdk.x86_64.rpm 7b93e604b00f197a77e49fe94a3cd612 x86_64/corporate/3.0/RPMS/netpbm-9.24-8.2.C30mdk.x86_64.rpm 435e2548bed0da6bc4519910e3bae83f x86_64/corporate/3.0/SRPMS/netpbm-9.24-8.2.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC+lMPmqjQ0CJFipgRAkreAJ4kAZA+Mh+k65v3cr5ZUpDVun4QYwCdF6NJ ooCqglOMXw6xMoN8W8h8m9g= =tJMw -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/