lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4283F6B9.6030905@videotron.ca>
Date: Fri May 13 05:57:10 2005
From: marcdeslauriers at videotron.ca (Marc Deslauriers)
Subject: [FLSA-2005:152763] Updated qt packages fixes
	security issues

---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated qt packages fixes security issues
Advisory ID:       FLSA:152763
Issue date:        2005-05-12
Product:           Red Hat Linux
Keywords:          Bugfix
CVE Names:         CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated qt packages that fix security issues in several of the image
decoders are now available.

Qt is a software toolkit that simplifies the task of writing and
maintaining GUI (Graphical User Interface) applications for the X Window
System.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386

3. Problem description:

During a security audit, Chris Evans discovered a heap overflow in the
BMP image decoder in Qt versions prior to 3.3.3. An attacker could
create a carefully crafted BMP file in such a way that it would cause an
application linked with Qt to crash or possibly execute arbitrary code
when the file was opened by a victim. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0691 to
this issue.

Additionally, various flaws were discovered in the GIF, XPM, and JPEG
decoders in Qt versions prior to 3.3.3. An attacker could create
carefully crafted image files in such a way that it could cause an
application linked against Qt to crash when the file was opened by a
victim. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CAN-2004-0692 and CAN-2004-0693 to these issues.

Users of Qt should update to these updated packages which contain
backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152763

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/qt2-2.3.1-4.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/qt-3.0.5-7.16.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt2-2.3.1-4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt2-designer-2.3.1-4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt2-devel-2.3.1-4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt2-static-2.3.1-4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt2-Xt-2.3.1-4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-3.0.5-7.16.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-designer-3.0.5-7.16.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-devel-3.0.5-7.16.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-MySQL-3.0.5-7.16.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-ODBC-3.0.5-7.16.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-PostgreSQL-3.0.5-7.16.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-static-3.0.5-7.16.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/qt-Xt-3.0.5-7.16.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/qt2-2.3.1-14.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/qt-3.1.1-8.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/qt2-2.3.1-14.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt2-designer-2.3.1-14.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt2-devel-2.3.1-14.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt2-static-2.3.1-14.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt2-Xt-2.3.1-14.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt-3.1.1-8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt-designer-3.1.1-8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt-devel-3.1.1-8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt-MySQL-3.1.1-8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt-ODBC-3.1.1-8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt-PostgreSQL-3.1.1-8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/qt-Xt-3.1.1-8.legacy.i386.rpm


7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------

31dd5bcfd8477e31b15e0cdc52830a23024ada53
redhat/7.3/updates/i386/qt2-2.3.1-4.legacy.i386.rpm
666926b1e02da9edcf44d025fee98326c86cd62d
redhat/7.3/updates/i386/qt2-designer-2.3.1-4.legacy.i386.rpm
f8abe3a856df3b6f6328e3a097b47d0e5f2c270e
redhat/7.3/updates/i386/qt2-devel-2.3.1-4.legacy.i386.rpm
7916b1d34f01c8f30d0f99485e2a2d3882fa85fd
redhat/7.3/updates/i386/qt2-static-2.3.1-4.legacy.i386.rpm
9c9876dc717734169f27e0eaa4daeb2ab70ff61f
redhat/7.3/updates/i386/qt2-Xt-2.3.1-4.legacy.i386.rpm
45de88207a2ed8fcc9f6b9e25e38b7ecd2c3c543
redhat/7.3/updates/i386/qt-3.0.5-7.16.legacy.i386.rpm
f93cc80d6ef57b73c6be11cd055e5f7158b102fa
redhat/7.3/updates/i386/qt-designer-3.0.5-7.16.legacy.i386.rpm
b8301c059ecb90c497812f082e226cb504505ff2
redhat/7.3/updates/i386/qt-devel-3.0.5-7.16.legacy.i386.rpm
d2168c04a5ad203d85b61217351f702a93b937e2
redhat/7.3/updates/i386/qt-MySQL-3.0.5-7.16.legacy.i386.rpm
0ec08637df7a76b3512ecebc8705776770b797eb
redhat/7.3/updates/i386/qt-ODBC-3.0.5-7.16.legacy.i386.rpm
3374709a77752ffb1db8f4f4e82e67af58745007
redhat/7.3/updates/i386/qt-PostgreSQL-3.0.5-7.16.legacy.i386.rpm
f717c6632e65f2f18d99a76d19716e4c1f39445e
redhat/7.3/updates/i386/qt-static-3.0.5-7.16.legacy.i386.rpm
a90a2ae47135a28830fb099dd9acdcfd1f83e199
redhat/7.3/updates/i386/qt-Xt-3.0.5-7.16.legacy.i386.rpm
c9c98eff73d7fe6147ffa72baba764cdbfdd0d93
redhat/7.3/updates/SRPMS/qt2-2.3.1-4.legacy.src.rpm
884033926f37ed56e60a750a9ad394436f8b9b4a
redhat/7.3/updates/SRPMS/qt-3.0.5-7.16.legacy.src.rpm
db6801606256ca8a27eb53737981194e0a1ea01c
redhat/9/updates/i386/qt2-2.3.1-14.legacy.i386.rpm
7f1718735932279b4a8a7ff480cda6186f4e0b52
redhat/9/updates/i386/qt2-designer-2.3.1-14.legacy.i386.rpm
39fec48edde4bec460fba6781c19551a2454d52e
redhat/9/updates/i386/qt2-devel-2.3.1-14.legacy.i386.rpm
4aeee3f5f2db49275838920f4980b24f074aa1dc
redhat/9/updates/i386/qt2-static-2.3.1-14.legacy.i386.rpm
a8c42841b7d5184f4668890bd04aa68c62fc23cb
redhat/9/updates/i386/qt2-Xt-2.3.1-14.legacy.i386.rpm
18f51017809f1a78289b3b1756c6944ef0c1ca71
redhat/9/updates/i386/qt-3.1.1-8.legacy.i386.rpm
c275220a14e1d3f67494eda9674b112dd1925aa7
redhat/9/updates/i386/qt-designer-3.1.1-8.legacy.i386.rpm
4c90b5e9ffdc7c572c0cf4474cda40c46f07c5c0
redhat/9/updates/i386/qt-devel-3.1.1-8.legacy.i386.rpm
bb50a60d29c5b97a5033839f900781c1d7fa6af6
redhat/9/updates/i386/qt-MySQL-3.1.1-8.legacy.i386.rpm
7f79b8bcad7a045614ac3f6cd34af6c2ee365cce
redhat/9/updates/i386/qt-ODBC-3.1.1-8.legacy.i386.rpm
2fa4db773641f4f0d67fddd2479a6d992e847825
redhat/9/updates/i386/qt-PostgreSQL-3.1.1-8.legacy.i386.rpm
9537f1669fce9e3a9d9836e892e850315b7ecf39
redhat/9/updates/i386/qt-Xt-3.1.1-8.legacy.i386.rpm
a3ad6d0143139b7fa537cdcf7c121ce120d0bd92
redhat/9/updates/SRPMS/qt2-2.3.1-14.legacy.src.rpm
a5bd53a0a7be64720c4a70510344a5bd5ae5c64b
redhat/9/updates/SRPMS/qt-3.1.1-8.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693

9. Contact:

The Fedora Legacy security contact is <secnotice@...oralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050512/2ed15048/signature.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ