__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN "gdk-pixbuf" Package Vulnerability [Red Hat Advisory RHSA-2004:447-17] September 15, 2004 21:00 GMT Number O-217 [REVISED 16 Sep 2004] [REVISED 20 Sep 2004] [REVISED 01 Oct 2004] [REVISED 14 Jul 2005] ______________________________________________________________________________ PROBLEM: Several security vulnerabilities were found in the gdk-pixbuf packages. The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. PLATFORM: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.0 (woody) GTK+2 SPARC Platform: GNOME 2.0 (for Solaris 8) without patch 114644-03 GNOME 2.0 (for Solaris 9) without patch 114686-03 GNOME 2.0.2 (for Solaris 9) without patch 115738-04 x86 Platform GNOME 2.0 (for Solaris 8) without patch 114645-03 GNOME 2.0 (for Solaris 9) without patch 114687-03 GNOME 2.0.2 (for Solaris 9) without patch 115739-04 Solaris 9 with JDS release 2 installed DAMAGE: An attacker could create a carefully crafted XPM file such that it could cause an application to execute arbitrary code when the file is opened. Further, this vulnerability may allow an attacker to create a carefully crafted BMP or ICO file that could cause an application to crash when opened. SOLUTION: Install the updated packages. NOTE: some vendors are suggesting that whole Gtk packages be replaced if available. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote intruder could get root access if ASSESSMENT: they can convince users to open an XPM file and the user is logged on as root. This is only a problem if you use gdk-pixbuf to render images. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-217.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-447.html ADDITIONAL LINKS: Debian Security Advisory DSA-546-1 http://www.debian.org/security/2004/dsa-546 (gdk) Debian Security Advisory DSA-549-1 http://www.debian.org/security/2004/dsa-549 (gtk) US-CERT Vulnerability Notes: VU#577654 http://www.kb.cert.org/vuls/id/577654 VU#825374 http://www.kb.cert.org/vuls/id/825374 VU#369358 http://www.kb.cert.org/vuls/id/369358 VU#729894 http://www.kb.cert.org/vuls/id/729894 Sun Alert ID: 101776 http://sunsolve.sun.com/search/document.do?assetkey= 1-26-101776-1&searchclause=security CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0753, CAN-2004-0782, CAN-2004-0783, CAN-2004-0788 ______________________________________________________________________________ REVISION HISTORY: 09/16/04 - added a link to Debian Security Advisory DSA-546-1 that provides updated Gdk packages addressing this vulnerability. 09/20/04 - added a kubj ti Debuab Security Advisory DSA-549-1 that provides updated Gtk packages. 10/01/04 - add links to US-CERT Vulnerability Notes: VU#577654, VU#825374, VU#369358, and VU#729894. 07/14/05 - added a link to Sun Security Alert ID: 101776 that provides security updates for this vulnerability. [***** Start Red Hat Advisory RHSA-2004:447-17 *****] Updated gdk-pixbuf packages fix security flaws Advisory: RHSA-2004:447-23 Last updated on: 2004-09-15 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 Security Advisory Details: Updated gdk-pixbuf packages that fix several security flaws are now available. The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. [Updated 15th September 2004] Packages have been updated to correct a bug which caused the xpm loader to fail. During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gdk-pixbuf. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue. During a security audit, Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file is opened by a victim. (CAN-2004-0788) These packages have also been updated to correct a bug which caused the xpm loader to fail. Users of gdk-pixbuf are advised to upgrade to these packages, which contain backported patches and are not vulnerable to these issues. Updated packages: Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- AMD64: gdk-pixbuf-0.22.0-11.3.3.x86_64.rpm 0678c0efeb2cceae8fee9dbb8797f2af gdk-pixbuf-devel-0.22.0-11.3.3.x86_64.rpm 160fa97f945efec1ce56ea494541c520 gdk-pixbuf-gnome-0.22.0-11.3.3.x86_64.rpm 92b07889b33dc280fdb136b02325c53e SRPMS: gdk-pixbuf-0.22.0-11.3.3.src.rpm adde2ead86237f92b7a346394dfb93bc i386: gdk-pixbuf-0.22.0-11.3.3.i386.rpm 92fadd028df0850e6b61e01b440ade70 gdk-pixbuf-devel-0.22.0-11.3.3.i386.rpm 4c80a32cb8573720bdcc06b39475754f gdk-pixbuf-gnome-0.22.0-11.3.3.i386.rpm 6e50dafb95a1efef5e3676663c38c0a0 Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: gdk-pixbuf-0.22.0-11.2.2E.src.rpm fda43700c69af3535e9d3bc9e6b4f1b9 i386: gdk-pixbuf-0.22.0-11.2.2E.i386.rpm 8334282664dfc3f87a377fbf7b733d41 gdk-pixbuf-devel-0.22.0-11.2.2E.i386.rpm 30dab937b29109544bcb0bf68d8b9fc0 gdk-pixbuf-gnome-0.22.0-11.2.2E.i386.rpm d1c6a6a7b4baa3219ac66040b684b133 ia64: gdk-pixbuf-0.22.0-11.2.2E.ia64.rpm 68926c28e87cbbea60ce8eacb163c98e gdk-pixbuf-devel-0.22.0-11.2.2E.ia64.rpm f0100561fb5c22ce3bf71dc08e7a88b9 gdk-pixbuf-gnome-0.22.0-11.2.2E.ia64.rpm 0fa01166e066f322a78fc8e3b97085e9 Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- AMD64: gdk-pixbuf-0.22.0-11.3.3.x86_64.rpm 0678c0efeb2cceae8fee9dbb8797f2af gdk-pixbuf-devel-0.22.0-11.3.3.x86_64.rpm 160fa97f945efec1ce56ea494541c520 gdk-pixbuf-gnome-0.22.0-11.3.3.x86_64.rpm 92b07889b33dc280fdb136b02325c53e SRPMS: gdk-pixbuf-0.22.0-11.3.3.src.rpm adde2ead86237f92b7a346394dfb93bc i386: gdk-pixbuf-0.22.0-11.3.3.i386.rpm 92fadd028df0850e6b61e01b440ade70 gdk-pixbuf-devel-0.22.0-11.3.3.i386.rpm 4c80a32cb8573720bdcc06b39475754f gdk-pixbuf-gnome-0.22.0-11.3.3.i386.rpm 6e50dafb95a1efef5e3676663c38c0a0 ia64: gdk-pixbuf-0.22.0-11.3.3.ia64.rpm c50021c89b9369377247cf69141361bb gdk-pixbuf-devel-0.22.0-11.3.3.ia64.rpm d465a6ac9407dd1fc97f7336218b2350 gdk-pixbuf-gnome-0.22.0-11.3.3.ia64.rpm a925e983040b0cb85b7d3491d2928e1d ppc: gdk-pixbuf-0.22.0-11.3.3.ppc.rpm 3464b39ac9ccca779f3b8b77ba3086d7 gdk-pixbuf-devel-0.22.0-11.3.3.ppc.rpm 742f21c2cf58a00d2e4aecfc54c1cde8 gdk-pixbuf-gnome-0.22.0-11.3.3.ppc.rpm 600e801b22806cfbc11d3d5b9f175624 s390: gdk-pixbuf-0.22.0-11.3.3.s390.rpm d9ad5bb3ef55ef9a4d453091ea53d414 gdk-pixbuf-devel-0.22.0-11.3.3.s390.rpm 90e70ff542f9b859d7ca586ea6aba099 gdk-pixbuf-gnome-0.22.0-11.3.3.s390.rpm 0722d84359e5b752ae811d7db557c473 s390x: gdk-pixbuf-0.22.0-11.3.3.s390x.rpm d787c1c1cec4ed5135066a3930cd6d05 gdk-pixbuf-devel-0.22.0-11.3.3.s390x.rpm 9f0c0dd1515ae16c5596b0c23288701f gdk-pixbuf-gnome-0.22.0-11.3.3.s390x.rpm f73fb0a596c337e6e3b4e4033df84989 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: gdk-pixbuf-0.22.0-11.2.2E.src.rpm fda43700c69af3535e9d3bc9e6b4f1b9 i386: gdk-pixbuf-0.22.0-11.2.2E.i386.rpm 8334282664dfc3f87a377fbf7b733d41 gdk-pixbuf-devel-0.22.0-11.2.2E.i386.rpm 30dab937b29109544bcb0bf68d8b9fc0 gdk-pixbuf-gnome-0.22.0-11.2.2E.i386.rpm d1c6a6a7b4baa3219ac66040b684b133 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- AMD64: gdk-pixbuf-0.22.0-11.3.3.x86_64.rpm 0678c0efeb2cceae8fee9dbb8797f2af gdk-pixbuf-devel-0.22.0-11.3.3.x86_64.rpm 160fa97f945efec1ce56ea494541c520 gdk-pixbuf-gnome-0.22.0-11.3.3.x86_64.rpm 92b07889b33dc280fdb136b02325c53e SRPMS: gdk-pixbuf-0.22.0-11.3.3.src.rpm adde2ead86237f92b7a346394dfb93bc i386: gdk-pixbuf-0.22.0-11.3.3.i386.rpm 92fadd028df0850e6b61e01b440ade70 gdk-pixbuf-devel-0.22.0-11.3.3.i386.rpm 4c80a32cb8573720bdcc06b39475754f gdk-pixbuf-gnome-0.22.0-11.3.3.i386.rpm 6e50dafb95a1efef5e3676663c38c0a0 ia64: gdk-pixbuf-0.22.0-11.3.3.ia64.rpm c50021c89b9369377247cf69141361bb gdk-pixbuf-devel-0.22.0-11.3.3.ia64.rpm d465a6ac9407dd1fc97f7336218b2350 gdk-pixbuf-gnome-0.22.0-11.3.3.ia64.rpm a925e983040b0cb85b7d3491d2928e1d Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: gdk-pixbuf-0.22.0-11.2.2E.src.rpm fda43700c69af3535e9d3bc9e6b4f1b9 i386: gdk-pixbuf-0.22.0-11.2.2E.i386.rpm 8334282664dfc3f87a377fbf7b733d41 gdk-pixbuf-devel-0.22.0-11.2.2E.i386.rpm 30dab937b29109544bcb0bf68d8b9fc0 gdk-pixbuf-gnome-0.22.0-11.2.2E.i386.rpm d1c6a6a7b4baa3219ac66040b684b133 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- AMD64: gdk-pixbuf-0.22.0-11.3.3.x86_64.rpm 0678c0efeb2cceae8fee9dbb8797f2af gdk-pixbuf-devel-0.22.0-11.3.3.x86_64.rpm 160fa97f945efec1ce56ea494541c520 gdk-pixbuf-gnome-0.22.0-11.3.3.x86_64.rpm 92b07889b33dc280fdb136b02325c53e SRPMS: gdk-pixbuf-0.22.0-11.3.3.src.rpm adde2ead86237f92b7a346394dfb93bc i386: gdk-pixbuf-0.22.0-11.3.3.i386.rpm 92fadd028df0850e6b61e01b440ade70 gdk-pixbuf-devel-0.22.0-11.3.3.i386.rpm 4c80a32cb8573720bdcc06b39475754f gdk-pixbuf-gnome-0.22.0-11.3.3.i386.rpm 6e50dafb95a1efef5e3676663c38c0a0 ia64: gdk-pixbuf-0.22.0-11.3.3.ia64.rpm c50021c89b9369377247cf69141361bb gdk-pixbuf-devel-0.22.0-11.3.3.ia64.rpm d465a6ac9407dd1fc97f7336218b2350 gdk-pixbuf-gnome-0.22.0-11.3.3.ia64.rpm a925e983040b0cb85b7d3491d2928e1d Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: gdk-pixbuf-0.22.0-11.2.2E.src.rpm fda43700c69af3535e9d3bc9e6b4f1b9 ia64: gdk-pixbuf-0.22.0-11.2.2E.ia64.rpm 68926c28e87cbbea60ce8eacb163c98e gdk-pixbuf-devel-0.22.0-11.2.2E.ia64.rpm f0100561fb5c22ce3bf71dc08e7a88b9 gdk-pixbuf-gnome-0.22.0-11.2.2E.ia64.rpm 0fa01166e066f322a78fc8e3b97085e9 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 130455 - CAN-2004-0753 bmp image loader DOS 130711 - CAN-2004-0782/3/8 GTK XPM decoder issues References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0788 http://bugzilla.gnome.org/show_bug.cgi?id=150601 [***** End Red Hat Advisory RHSA-2004:447-17 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-207: Cisco IOS Telnet Denial of Service Vulnerability O-208: Kerberos krb5 Vulnerabilities O-209: Oracle Database Server Vulnerabilities O-210: LHA Packages Buffer Overflow Vulnerability O-211: Potential Buffer Overflows in WinZip O-212: Apple Security Update O-213: Windows Buffer Overrun in JPEG Processing Could Allow Code Execution O-214: Windows Vulnerability in WordPerfect Converter Could Allow Code Execution O-215: "imlib" package vulnerability O-216: "gtk2" Package vulnerability