__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN "gtk2" Package Vulnerability [Red Hat Advisory RHSA-2004:466-12] September 15, 2004 21:00 GMT Number O-216 [REVISED 14 Jul 2005] ______________________________________________________________________________ PROBLEM: A vulnerability exists in the gtk2 package. The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. PLATFORM: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) SPARC Platform: GNOME 2.0 (for Solaris 8) without patch 114644-03 GNOME 2.0 (for Solaris 9) without patch 114686-03 GNOME 2.0.2 (for Solaris 9) without patch 115738-04 x86 Platform GNOME 2.0 (for Solaris 8) without patch 114645-03 GNOME 2.0 (for Solaris 9) without patch 114687-03 GNOME 2.0.2 (for Solaris 9) without patch 115739-04 Solaris 9 with JDS release 2 installed DAMAGE: An attacker could create a carefully crafted XPM file such that it could cause an application to execute arbitrary code when the file is opened. Further, this vulnerability may allow an attacker to create a carefully crafted BMP or ICO file that could cause an application to crash when opened. SOLUTION: Install the updated packages. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote intruder could get root access if ASSESSMENT: they can convince users to open an XPM file and the user is logged on as root. This is only a problem if you use gtk2 to render images. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-216.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-466.html ADDITIONAL LINK: Sun Alert ID: 101776 http://sunsolve.sun.com/search/document.do?assetkey= 1-26-101776-1&searchclause=security CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0753, CAN-2004-0782, CAN-2004-0783, CAN-2004-0788 ______________________________________________________________________________ REVISION HISTORY: 07/14/2005 - added a link to Sun Security Alert ID: 101776 that provides security updates for this vulnerability. [***** Start Red Hat Advisory RHSA-2004:466-12 *****] Updated gtk2 packages fix security flaws and bugs Advisory: RHSA-2004:466-12 Last updated on: 2004-09-15 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 Security Advisory Details: Updated gtk2 packages that fix several security flaws and bugs are now available. The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue. During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CAN-2004-0788) This updated gtk2 package also fixes a few key combination bugs on various X servers, such as Hummingbird, ReflectionX, and X-Win32. If a server was configured to use the Swiss German, Swiss French, or France French keyboard layouts, Mode_Switched characters were unable to be entered within GTK based applications. Users of gtk2 are advised to upgrade to these packages which contain backported patches and are not vulnerable to these issues. Updated packages: Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- AMD64: gtk2-2.2.4-8.1.x86_64.rpm 7c5c8d7447e340310576c2909985268c gtk2-devel-2.2.4-8.1.x86_64.rpm 8ebd7aea9fe419a1e60c1405fae01f5a SRPMS: gtk2-2.2.4-8.1.src.rpm 6ac62a2aeab6c7a99ff4b3a657530f89 i386: gtk2-2.2.4-8.1.i386.rpm 37607c300bef5d9dd9858474031f582c gtk2-devel-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-2.2.4-8.1.i386.rpm 37607c300bef5d9dd9858474031f582c Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- AMD64: gtk2-2.2.4-8.1.x86_64.rpm 7c5c8d7447e340310576c2909985268c gtk2-devel-2.2.4-8.1.x86_64.rpm 8ebd7aea9fe419a1e60c1405fae01f5a SRPMS: gtk2-2.2.4-8.1.src.rpm 6ac62a2aeab6c7a99ff4b3a657530f89 i386: gtk2-2.2.4-8.1.i386.rpm 37607c300bef5d9dd9858474031f582c gtk2-devel-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-2.2.4-8.1.i386.rpm 37607c300bef5d9dd9858474031f582c ia64: gtk2-2.2.4-8.1.ia64.rpm b3b57ef2a9b4c577cad9639fd194db14 gtk2-devel-2.2.4-8.1.ia64.rpm cf89006e9943f4b23aeb7a410c91c542 ppc: gtk2-2.2.4-8.1.ppc.rpm 766df9da1dca48a5f110dc96b9c29015 gtk2-devel-2.2.4-8.1.ppc.rpm eadbbab509000019eae608a8748cfbde s390: gtk2-2.2.4-8.1.s390.rpm a3692edac044b25e4c8c2012437888e7 gtk2-devel-2.2.4-8.1.s390.rpm f1821966b229cd61264b9af61fafdb88 s390x: gtk2-2.2.4-8.1.s390x.rpm e45909f903fc90707ef451051d31853c gtk2-devel-2.2.4-8.1.s390x.rpm 4190a6fdeed17fe104def7551c1ea51e Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- AMD64: gtk2-2.2.4-8.1.x86_64.rpm 7c5c8d7447e340310576c2909985268c gtk2-devel-2.2.4-8.1.x86_64.rpm 8ebd7aea9fe419a1e60c1405fae01f5a SRPMS: gtk2-2.2.4-8.1.src.rpm 6ac62a2aeab6c7a99ff4b3a657530f89 i386: gtk2-2.2.4-8.1.i386.rpm 37607c300bef5d9dd9858474031f582c gtk2-devel-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-2.2.4-8.1.i386.rpm 37607c300bef5d9dd9858474031f582c ia64: gtk2-2.2.4-8.1.ia64.rpm b3b57ef2a9b4c577cad9639fd194db14 gtk2-devel-2.2.4-8.1.ia64.rpm cf89006e9943f4b23aeb7a410c91c542 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- AMD64: gtk2-2.2.4-8.1.x86_64.rpm 7c5c8d7447e340310576c2909985268c gtk2-devel-2.2.4-8.1.x86_64.rpm 8ebd7aea9fe419a1e60c1405fae01f5a SRPMS: gtk2-2.2.4-8.1.src.rpm 6ac62a2aeab6c7a99ff4b3a657530f89 i386: gtk2-2.2.4-8.1.i386.rpm 37607c300bef5d9dd9858474031f582c gtk2-devel-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-2.2.4-8.1.i386.rpm 37607c300bef5d9dd9858474031f582c ia64: gtk2-2.2.4-8.1.ia64.rpm b3b57ef2a9b4c577cad9639fd194db14 gtk2-devel-2.2.4-8.1.ia64.rpm cf89006e9943f4b23aeb7a410c91c542 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 130450 - CAN-2004-0753 bmp image loader DOS References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0788 http://bugzilla.gnome.org/show_bug.cgi?id=150601 http://bugzilla.gnome.org/show_bug.cgi?id=144808 [***** End Red Hat Advisory RHSA-2004:466-12 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-206: Entrust LibKmp Library Vulnerabilities O-207: Cisco IOS Telnet Denial of Service Vulnerability O-208: Kerberos krb5 Vulnerabilities O-209: Oracle Database Server Vulnerabilities O-210: LHA Packages Buffer Overflow Vulnerability O-211: Potential Buffer Overflows in WinZip O-212: Apple Security Update O-213: Windows Buffer Overrun in JPEG Processing Could Allow Code Execution O-214: Windows Vulnerability in WordPerfect Converter Could Allow Code Execution O-215: "imlib" package vulnerability