lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <E1IJdGE-0006hr-4g@artemis.annvix.ca>
Date: Fri, 10 Aug 2007 16:47:14 -0600
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDKSA-2007:156 ] - Updated imlib2 packages fix several issues


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:156
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : imlib2
 Date    : August 10, 2007
 Affected: 2007.1
 _______________________________________________________________________
 
 Problem Description:
 
 M Joonas Pihlaja discovered several vulnerabilities in the Imlib2
 graphics library.
 
 The load() function of several of the Imlib2 image loaders does not
 check the width and height of an image before allocating memory. As
 a result, a carefully crafted image file can trigger a segfault when
 an application using Imlib2 attempts to view the image. (CVE-2006-4806)
 
 The tga loader fails to bounds check input data to make sure the
 input data doesn load outside the memory mapped region. (CVE-2006-4807)
 
 The RLE decoding loops of the load() function in the tga loader does
 not check that the count byte of an RLE packet doesn cause a heap
 overflow of the pixel buffer. (CVE-2006-4808)
 
 The load() function of the pnm loader writes arbitrary length user
 data into a fixed size stack allocated buffer buf[] without bounds
 checking. (CVE-2006-4809)
 
 Updated packages have been patched to prevent these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4806
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4807
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4808
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4809
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.1:
 93fb0190586a7d3cea1fdebd2f64fd9d  2007.1/i586/imlib2-data-1.2.2-3.1mdv2007.1.i586.rpm
 31eeeba69830afe5c38d8109636d6c69  2007.1/i586/libimlib2_1-1.2.2-3.1mdv2007.1.i586.rpm
 d2d8be16f67dde3b7f504749bf9c890c  2007.1/i586/libimlib2_1-devel-1.2.2-3.1mdv2007.1.i586.rpm
 a3ea749502e4182b4395fc69d8930b62  2007.1/i586/libimlib2_1-filters-1.2.2-3.1mdv2007.1.i586.rpm
 5875424ff95bba848d26994445c26072  2007.1/i586/libimlib2_1-loaders-1.2.2-3.1mdv2007.1.i586.rpm 
 16807bb6a2de35737fc362f88d525fa4  2007.1/SRPMS/imlib2-1.2.2-3.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 f5bcf12f3d6f900643bf8e4f73a365bf  2007.1/x86_64/imlib2-data-1.2.2-3.1mdv2007.1.x86_64.rpm
 9ed2f086037513d7da5433e93846df70  2007.1/x86_64/lib64imlib2_1-1.2.2-3.1mdv2007.1.x86_64.rpm
 e178a706ae10d9f5cd3b727cd105eaae  2007.1/x86_64/lib64imlib2_1-devel-1.2.2-3.1mdv2007.1.x86_64.rpm
 7957c0ddb6cd1a3cf5161005ec661236  2007.1/x86_64/lib64imlib2_1-filters-1.2.2-3.1mdv2007.1.x86_64.rpm
 765d9d53ddf0b9ec81f6ec4e3fb12338  2007.1/x86_64/lib64imlib2_1-loaders-1.2.2-3.1mdv2007.1.x86_64.rpm 
 16807bb6a2de35737fc362f88d525fa4  2007.1/SRPMS/imlib2-1.2.2-3.1mdv2007.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGvMCfmqjQ0CJFipgRAgzxAJ9VXVAjHYkrmN7YWZrAIV2N/btFCACdE3oc
rZAHK7PeIVpM9IRw14YB9TA=
=8DKs
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ