__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN netpbm Security Update [RHSA-2005:843-8] December 20, 2005 22:00 GMT Number Q-081 [REVISED 19 Jan 2006] ______________________________________________________________________________ PROBLEM: Updated netpbm packages that fix two security issues are now available. PLATFORM: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 6 for SGI Altix family of systems DAMAGE: A stack based buffer overflow bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). A specially crafted PNM file could allow an attacker to execute arbitrary code by attempting to convert a PNM file to a PNG file when using pnmtopng with the '-text' option. An "off by one" bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). If a victim attempts to convert a specially crafted 256 color PNM file to a PNG file, then it can cause the pnmtopng utility to crash. SOLUTION: Apply current patches. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could allow an attacker to execute arbitrary ASSESSMENT: code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-081.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2005-843.html ADDITIONAL LINK: SGI Security Update #53, Number 20060101-01-U http://www.sgi.com/support/security/advisories.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-3632 CVE-2005-3662 ______________________________________________________________________________ REVISION HISTORY: 01/19/2006 - added a link to SGI Security Update #53,Patch 10258 for SGI ProPack 3 Service Pack 6, addressing this vulnerability. [***** Start RHSA-2005:843-8 *****] netpbm security update Advisory: RHSA-2005:843-8 Type: Security Advisory Issued on: 2005-12-20 Last updated on: 2005-12-20 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CVE-2005-3632 CVE-2005-3662 Details Updated netpbm packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The netpbm package contains a library of functions that support programs for handling various graphics file formats. A stack based buffer overflow bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). A specially crafted PNM file could allow an attacker to execute arbitrary code by attempting to convert a PNM file to a PNG file when using pnmtopng with the '-text' option. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3632 to this issue. An "off by one" bug was found in the way netpbm converts Portable Anymap (PNM) files into Portable Network Graphics (PNG). If a victim attempts to convert a specially crafted 256 color PNM file to a PNG file, then it can cause the pnmtopng utility to crash. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3662 to this issue. All users of netpbm should upgrade to these updated packages, which contain backported patches that resolve these issues. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 3) SRPMS: netpbm-9.24-11.30.4.src.rpm     19ad9f0ab04dbd18bb443a2f894c34eb   IA-32: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-devel-9.24-11.30.4.i386.rpm     70469787c6d5c6b30e8a3dfd6398befb netpbm-progs-9.24-11.30.4.i386.rpm     4f09f963a50fd68ca3945b384d2c6f0c   x86_64: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-9.24-11.30.4.x86_64.rpm     e0ef48b3172d3be3ff41fb0165c92cec netpbm-devel-9.24-11.30.4.x86_64.rpm     11101f273f9010346e2f66f0320dfeb2 netpbm-progs-9.24-11.30.4.x86_64.rpm     2daa6fadc97f817f4a1aac69d1730e9d   Red Hat Enterprise Linux AS (v. 2.1) SRPMS: netpbm-9.24-9.AS21.6.src.rpm     f9ba7f06f41f2aa95d2d86931f2aa7fd   IA-32: netpbm-9.24-9.AS21.6.i386.rpm     360ae1d9aaef8544b3a1ca00a2feaa4b netpbm-devel-9.24-9.AS21.6.i386.rpm     c45c19f689ba6628ef0e609e00854d89 netpbm-progs-9.24-9.AS21.6.i386.rpm     6bc5d1878c9ebf6aaab762ed99bdfcfb   IA-64: netpbm-9.24-9.AS21.6.ia64.rpm     c014f290d818568f0d58605aa3b143dd netpbm-devel-9.24-9.AS21.6.ia64.rpm     ddddb9b88c82496eccab50ffc0173fc4 netpbm-progs-9.24-9.AS21.6.ia64.rpm     b11ae66486d6d362984ba99ab972b4b3   Red Hat Enterprise Linux AS (v. 3) SRPMS: netpbm-9.24-11.30.4.src.rpm     19ad9f0ab04dbd18bb443a2f894c34eb   IA-32: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-devel-9.24-11.30.4.i386.rpm     70469787c6d5c6b30e8a3dfd6398befb netpbm-progs-9.24-11.30.4.i386.rpm     4f09f963a50fd68ca3945b384d2c6f0c   IA-64: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-9.24-11.30.4.ia64.rpm     b60f5790cc03bcaf05efa8bcfce97f73 netpbm-devel-9.24-11.30.4.ia64.rpm     d04b6fb6473d8ba03c98d14b78780c52 netpbm-progs-9.24-11.30.4.ia64.rpm     277c76e67e11b69aa4d5c15cfb831715   PPC: netpbm-9.24-11.30.4.ppc.rpm     b2a3cd86dbd9927b0ba1b6189886bcb5 netpbm-9.24-11.30.4.ppc64.rpm     cab079cbf11baf472ce9b7d775dc897c netpbm-devel-9.24-11.30.4.ppc.rpm     37a16559b3e387d60c6095812dfa64a6 netpbm-progs-9.24-11.30.4.ppc.rpm     ff27be9c5b2075bf3ca9e27e0fe14383   s390: netpbm-9.24-11.30.4.s390.rpm     2beab978ada99868ab0e9cc3180af5e2 netpbm-devel-9.24-11.30.4.s390.rpm     b8de7d98668ff912c0c1f80bcb06de56 netpbm-progs-9.24-11.30.4.s390.rpm     b8907a301fef7ec9b53dc39cce290099   s390x: netpbm-9.24-11.30.4.s390.rpm     2beab978ada99868ab0e9cc3180af5e2 netpbm-9.24-11.30.4.s390x.rpm     1da23fee520b2afe4f598f14afffe7b2 netpbm-devel-9.24-11.30.4.s390x.rpm     dec2d8f223ebd2bf912bc6b3af987e42 netpbm-progs-9.24-11.30.4.s390x.rpm     8edfb12940f8ff15ab8e5043ed41b8bc   x86_64: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-9.24-11.30.4.x86_64.rpm     e0ef48b3172d3be3ff41fb0165c92cec netpbm-devel-9.24-11.30.4.x86_64.rpm     11101f273f9010346e2f66f0320dfeb2 netpbm-progs-9.24-11.30.4.x86_64.rpm     2daa6fadc97f817f4a1aac69d1730e9d   Red Hat Enterprise Linux ES (v. 2.1) SRPMS: netpbm-9.24-9.AS21.6.src.rpm     f9ba7f06f41f2aa95d2d86931f2aa7fd   IA-32: netpbm-9.24-9.AS21.6.i386.rpm     360ae1d9aaef8544b3a1ca00a2feaa4b netpbm-devel-9.24-9.AS21.6.i386.rpm     c45c19f689ba6628ef0e609e00854d89 netpbm-progs-9.24-9.AS21.6.i386.rpm     6bc5d1878c9ebf6aaab762ed99bdfcfb   Red Hat Enterprise Linux ES (v. 3) SRPMS: netpbm-9.24-11.30.4.src.rpm     19ad9f0ab04dbd18bb443a2f894c34eb   IA-32: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-devel-9.24-11.30.4.i386.rpm     70469787c6d5c6b30e8a3dfd6398befb netpbm-progs-9.24-11.30.4.i386.rpm     4f09f963a50fd68ca3945b384d2c6f0c   IA-64: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-9.24-11.30.4.ia64.rpm     b60f5790cc03bcaf05efa8bcfce97f73 netpbm-devel-9.24-11.30.4.ia64.rpm     d04b6fb6473d8ba03c98d14b78780c52 netpbm-progs-9.24-11.30.4.ia64.rpm     277c76e67e11b69aa4d5c15cfb831715   x86_64: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-9.24-11.30.4.x86_64.rpm     e0ef48b3172d3be3ff41fb0165c92cec netpbm-devel-9.24-11.30.4.x86_64.rpm     11101f273f9010346e2f66f0320dfeb2 netpbm-progs-9.24-11.30.4.x86_64.rpm     2daa6fadc97f817f4a1aac69d1730e9d   Red Hat Enterprise Linux WS (v. 2.1) SRPMS: netpbm-9.24-9.AS21.6.src.rpm     f9ba7f06f41f2aa95d2d86931f2aa7fd   IA-32: netpbm-9.24-9.AS21.6.i386.rpm     360ae1d9aaef8544b3a1ca00a2feaa4b netpbm-devel-9.24-9.AS21.6.i386.rpm     c45c19f689ba6628ef0e609e00854d89 netpbm-progs-9.24-9.AS21.6.i386.rpm     6bc5d1878c9ebf6aaab762ed99bdfcfb   Red Hat Enterprise Linux WS (v. 3) SRPMS: netpbm-9.24-11.30.4.src.rpm     19ad9f0ab04dbd18bb443a2f894c34eb   IA-32: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-devel-9.24-11.30.4.i386.rpm     70469787c6d5c6b30e8a3dfd6398befb netpbm-progs-9.24-11.30.4.i386.rpm     4f09f963a50fd68ca3945b384d2c6f0c   IA-64: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-9.24-11.30.4.ia64.rpm     b60f5790cc03bcaf05efa8bcfce97f73 netpbm-devel-9.24-11.30.4.ia64.rpm     d04b6fb6473d8ba03c98d14b78780c52 netpbm-progs-9.24-11.30.4.ia64.rpm     277c76e67e11b69aa4d5c15cfb831715   x86_64: netpbm-9.24-11.30.4.i386.rpm     36cae065fd4d943f53a4eb76ab1fc6b0 netpbm-9.24-11.30.4.x86_64.rpm     e0ef48b3172d3be3ff41fb0165c92cec netpbm-devel-9.24-11.30.4.x86_64.rpm     11101f273f9010346e2f66f0320dfeb2 netpbm-progs-9.24-11.30.4.x86_64.rpm     2daa6fadc97f817f4a1aac69d1730e9d   Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SRPMS: netpbm-9.24-9.AS21.6.src.rpm     f9ba7f06f41f2aa95d2d86931f2aa7fd   IA-64: netpbm-9.24-9.AS21.6.ia64.rpm     c014f290d818568f0d58605aa3b143dd netpbm-devel-9.24-9.AS21.6.ia64.rpm     ddddb9b88c82496eccab50ffc0173fc4 netpbm-progs-9.24-9.AS21.6.ia64.rpm     b11ae66486d6d362984ba99ab972b4b3   (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 173342 - CVE-2005-3662 netpbm off by one error 173344 - CVE-2005-3632 Netpbm buffer overflow References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3632 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3662 These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ Copyright © 2002-05 Red Hat, Inc. All rights reserved. Legal statement : Privacy statement : redhat.com Red Hat Network release 4.0.1 [***** End RHSA-2005:843-8 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-070: Sun Java System Application Server Reverse SSL Proxy Plugin Vulnerability Q-071: HP-UX Running IPSec Remote Unauthorized Access Q-072: Sun Update Connection Web Proxy Password Disclosure Vulnerability Q-073: IBM Tivoli Directory Server Vulnerability Q-074: Cumulative Security Update for Internet Explorer Q-075: Vulnerability in Windows Kernel Q-076: Sober.X (Y) To Download New Code On or After Jan. 6 Q-077: Citrix Vulnerability in Program Neighborhood Client Q-078: cURL Security Update Q-079: HP-UX Running Software Distributor Remote Unauthorized Access