--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-155510 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155510 2005-11-03 --------------------------------------------------------------------- Name : gtk2 Versions : rh73: gtk2-2.0.2-4.2.legacy Versions : rh9: gtk2-2.2.1-4.2.legacy Versions : fc1: gtk2-2.2.4-10.3.legacy Summary : The GIMP ToolKit (GTK+), a library for creating GUIs for X. Description : The gtk+ package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. GTK+ was originally written for the GIMP (GNU Image Manipulation Program) image processing program, but is now used by several other programs as well. --------------------------------------------------------------------- Update Information: Updated gtk2 packages that fix several security flaws are now available. The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. During testing of a previously fixed flaw in Qt (CVE-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0753 to this issue. During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CVE-2004-0782, CVE-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CVE-2004-0788) A bug was found in the way gtk2 processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gtk2. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0891 to this issue. Users of gtk2 are advised to upgrade to these packages which contain backported patches and are not vulnerable to these issues. --------------------------------------------------------------------- Changelogs rh73: * Wed Nov 02 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 2.0.2-4.2.legacy - Go back to a sane release number * Wed May 11 2005 Pekka Savola <pekkas@xxxxxxxxxx> 2.0.2-4.1.legacy.2 - Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #155510 * Thu Feb 17 2005 Dominic Hargreaves <dom@xxxxxxxx> 2.0.2-4.1.legacy.1 - Add gettext, libtool, autoconf build dep * Sun Sep 19 2004 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 2.0.2-4.1.legacy - Added security patch for CAN-2004-0782, CAN-2004-0783, CAN-2004-0788 rh9: * Wed Nov 02 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 2.2.1-4.2.legacy - Go back to a sane release number * Wed May 11 2005 Pekka Savola <pekkas@xxxxxxxxxx> 2.2.1-4.1.legacy.2 - Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #155510 * Wed Feb 23 2005 Dominic Hargreaves <dom@xxxxxxxx> 2.2.1-4.1.legacy.1 - Fix build requirement for automake * Sun Sep 19 2004 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 2.2.1-4.1.legacy - add security fixes for CAN-2004-0753, CAN-2004-0782, CAN-2004-0783, CAN-2004-0788 fc1: * Wed Nov 02 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 2.2.4-10.3.legacy - Added automake14 and gettext to BuildPrereq * Sat Aug 20 2005 Dave Eisenstein <deisenst@xxxxxxx> 2.2.4-10.2.legacy - Specfile damaged in 2.2.4-10.1.legacy. Redo specfile. Bug #155510. * Wed May 11 2005 Pekka Savola <pekkas@xxxxxxxxxx> 2.2.4-10.1.legacy - Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #155510 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: f923e47859f2b8e973a19978baa299a9eb9510b9 redhat/7.3/updates-testing/i386/gtk2-2.0.2-4.2.legacy.i386.rpm 0b42963350b57d6c8f4d77fc9e611d6e976d80b1 redhat/7.3/updates-testing/i386/gtk2-devel-2.0.2-4.2.legacy.i386.rpm e975fad01109fe3e9efb1b1ab2d47db32b0b83ee redhat/7.3/updates-testing/SRPMS/gtk2-2.0.2-4.2.legacy.src.rpm rh9: 5d06ac2e6c81087e13c175b457116c0fd6950057 redhat/9/updates-testing/i386/gtk2-2.2.1-4.2.legacy.i386.rpm 99ef7dc3fdd67673358acc791ef306b914653271 redhat/9/updates-testing/i386/gtk2-devel-2.2.1-4.2.legacy.i386.rpm 8ada7b7f6ee51a281d6e0079aba0f2c150fdbf06 redhat/9/updates-testing/SRPMS/gtk2-2.2.1-4.2.legacy.src.rpm fc1: be0ba4a1776f9849cd5734ccb655b9dabb97011b fedora/1/updates-testing/i386/gtk2-2.2.4-10.3.legacy.i386.rpm 501aa3181b863c6904004ec8ef5c9e38cef77652 fedora/1/updates-testing/i386/gtk2-devel-2.2.4-10.3.legacy.i386.rpm 76c60fd3ca93a1291f6bb60403b3c080323fa855 fedora/1/updates-testing/SRPMS/gtk2-2.2.4-10.3.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
