From security@mandriva.com Wed Nov 9 20:03:53 2005 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Wed, 09 Nov 2005 18:02:00 -0700 Subject: [Full-disclosure] MDKSA-2005:207 - Updated libungif packages fix various vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2005:207 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libungif Date : November 9, 2005 Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0 _______________________________________________________________________ Problem Description: Several bugs have been discovered in the way libungif decodes GIF images. These allow an attacker to create a carefully crafted GIF image file in such a way that it could cause applications linked with libungif to crash or execute arbitrary code when the file is opened by the user. The updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3350 _______________________________________________________________________ Updated Packages: Mandriva Linux 10.1: 7572b3ed1c8846b63e4cfe1b8894a32f 10.1/RPMS/libungif4-4.1.2-2.1.101mdk.i586.rpm 82bd5a5c751e078763c81220da64c423 10.1/RPMS/libungif4-devel-4.1.2-2.1.101mdk.i586.rpm d6d48523f5e06df65ec15baa1bf2bddb 10.1/RPMS/libungif4-static-devel-4.1.2-2.1.101mdk.i586.rpm c76166c5d8c0e9810a00eb0f43933fe2 10.1/RPMS/libungif-progs-4.1.2-2.1.101mdk.i586.rpm 37ddb151c6110d637ed6a98e198a1e53 10.1/SRPMS/libungif-4.1.2-2.1.101mdk.src.rpm Mandriva Linux 10.1/X86_64: a47d1d8f03418e916294fa5713143150 x86_64/10.1/RPMS/lib64ungif4-4.1.2-2.1.101mdk.x86_64.rpm eb9d79c3243fe189c0093bff6ea2fd35 x86_64/10.1/RPMS/lib64ungif4-devel-4.1.2-2.1.101mdk.x86_64.rpm 0f9a3c70ea330841b2449cc21a604d8c x86_64/10.1/RPMS/lib64ungif4-static-devel-4.1.2-2.1.101mdk.x86_64.rpm 303c855118c6cd38dcd7419896e4c913 x86_64/10.1/RPMS/libungif-progs-4.1.2-2.1.101mdk.x86_64.rpm 37ddb151c6110d637ed6a98e198a1e53 x86_64/10.1/SRPMS/libungif-4.1.2-2.1.101mdk.src.rpm Mandriva Linux 10.2: ebf8f6eb09d3114f9a761cc7f52cd8bb 10.2/RPMS/libungif4-4.1.3-1.1.102mdk.i586.rpm 88ae8d5c2248985eba52680873759f11 10.2/RPMS/libungif4-devel-4.1.3-1.1.102mdk.i586.rpm 3eca46cddca2d15bee06f5109cf5e287 10.2/RPMS/libungif4-static-devel-4.1.3-1.1.102mdk.i586.rpm 8586b759a2a6fafba49f29e23e4dae13 10.2/RPMS/libungif-progs-4.1.3-1.1.102mdk.i586.rpm ae1821c6f0cb57991206c287bef87211 10.2/SRPMS/libungif-4.1.3-1.1.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 4f64cf649de6ccf2e0343b3aae2157c5 x86_64/10.2/RPMS/lib64ungif4-4.1.3-1.1.102mdk.x86_64.rpm 69a3ea4a02abbdbba26977a1ed1f3392 x86_64/10.2/RPMS/lib64ungif4-devel-4.1.3-1.1.102mdk.x86_64.rpm bd7441f6648425731a453c58b4b9cc63 x86_64/10.2/RPMS/lib64ungif4-static-devel-4.1.3-1.1.102mdk.x86_64.rpm 5a91547614f3716d7f8dd9bfdbc3fb6c x86_64/10.2/RPMS/libungif-progs-4.1.3-1.1.102mdk.x86_64.rpm ae1821c6f0cb57991206c287bef87211 x86_64/10.2/SRPMS/libungif-4.1.3-1.1.102mdk.src.rpm Mandriva Linux 2006.0: 24070dfd47ec6b55a64debfd348d9711 2006.0/RPMS/libungif4-4.1.3-1.1.20060mdk.i586.rpm ce86d6f15aebb0f7c9a772f60414fa0f 2006.0/RPMS/libungif4-devel-4.1.3-1.1.20060mdk.i586.rpm 48fcbd7ac7f0463db1c031dca381c79b 2006.0/RPMS/libungif4-static-devel-4.1.3-1.1.20060mdk.i586.rpm 62edb8465eece3bf2d52a44d7cdaf870 2006.0/RPMS/libungif-progs-4.1.3-1.1.20060mdk.i586.rpm 377b356f789805ffd30b75620681df31 2006.0/SRPMS/libungif-4.1.3-1.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 8a1c2fdc518a898d1638f162dbcf0129 x86_64/2006.0/RPMS/lib64ungif4-4.1.3-1.1.20060mdk.x86_64.rpm 76150147149dbce7c1b6ea990f7bc737 x86_64/2006.0/RPMS/lib64ungif4-devel-4.1.3-1.1.20060mdk.x86_64.rpm 3fb2d95c03cb31ffd41d86786d3471a8 x86_64/2006.0/RPMS/lib64ungif4-static-devel-4.1.3-1.1.20060mdk.x86_64.rpm 775f7f489b5c289ffcdfe5bf005c4131 x86_64/2006.0/RPMS/libungif-progs-4.1.3-1.1.20060mdk.x86_64.rpm 377b356f789805ffd30b75620681df31 x86_64/2006.0/SRPMS/libungif-4.1.3-1.1.20060mdk.src.rpm Corporate Server 2.1: 936ee3114e416984e4aba756608a2802 corporate/2.1/RPMS/libungif4-4.1.0-19.1.C21mdk.i586.rpm f76d4814f118ca630bfdf44998d9d49d corporate/2.1/RPMS/libungif4-devel-4.1.0-19.1.C21mdk.i586.rpm fc5532eea180d6c31c0a9e41f2f2b5c9 corporate/2.1/RPMS/libungif4-static-devel-4.1.0-19.1.C21mdk.i586.rpm b00eb0db117e0873d9e3727d8623019d corporate/2.1/SRPMS/libungif-4.1.0-19.1.C21mdk.src.rpm Corporate Server 2.1/X86_64: b949a414676df894beff1f0bbd1cf8dd x86_64/corporate/2.1/RPMS/libungif4-4.1.0-19.1.C21mdk.x86_64.rpm d688a956b50e58a390da4638c8d8552b x86_64/corporate/2.1/RPMS/libungif4-devel-4.1.0-19.1.C21mdk.x86_64.rpm d4b4ae8c4fbab006e11f732da4e94072 x86_64/corporate/2.1/RPMS/libungif4-static-devel-4.1.0-19.1.C21mdk.x86_64.rpm b00eb0db117e0873d9e3727d8623019d x86_64/corporate/2.1/SRPMS/libungif-4.1.0-19.1.C21mdk.src.rpm Corporate 3.0: 100e1f0098e403f373246b40ad30a26c corporate/3.0/RPMS/libungif4-4.1.0-23.1.C30mdk.i586.rpm 9395faa12299d659e1c21f0710e68d0d corporate/3.0/RPMS/libungif4-devel-4.1.0-23.1.C30mdk.i586.rpm 710f25082b1534ecaed8cd93e925b1ce corporate/3.0/RPMS/libungif4-static-devel-4.1.0-23.1.C30mdk.i586.rpm f1457fe0f7af89d2c4b91b7234264106 corporate/3.0/SRPMS/libungif-4.1.0-23.1.C30mdk.src.rpm Corporate 3.0/X86_64: 4c2dcc592be1b52254a942cfa0771cf9 x86_64/corporate/3.0/RPMS/lib64ungif4-4.1.0-23.1.C30mdk.x86_64.rpm fb7420250a7444c44da3f142a2ffe206 x86_64/corporate/3.0/RPMS/lib64ungif4-devel-4.1.0-23.1.C30mdk.x86_64.rpm b876da48e6fa314cd5f735619d5325ef x86_64/corporate/3.0/RPMS/lib64ungif4-static-devel-4.1.0-23.1.C30mdk.x86_64.rpm f1457fe0f7af89d2c4b91b7234264106 x86_64/corporate/3.0/SRPMS/libungif-4.1.0-23.1.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDcnHamqjQ0CJFipgRAjz+AJ0fjnANDCTPTdvfQWok+vQpdTkpcQCeN4fk nIl7CpNguWyFcs8x8vqGGJA= =0sZZ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/