--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated xpdf package fixes security issues Advisory ID: FLSA:175404 Issue date: 2006-03-16 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2097 CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 CVE-2006-0301 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated xpdf package that fixes several security issues is now available. The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A flaw was discovered in Xpdf in that an attacker could construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2097 to this issue. Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these issues. A heap based buffer overflow bug was discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0301 to this issue. Users of Xpdf should upgrade to this updated package, which contains backported patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175404 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/xpdf-1.00-7.6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-1.00-7.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-chinese-simplified-1.00-7.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-chinese-traditional-1.00-7.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-japanese-1.00-7.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-korean-1.00-7.6.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/xpdf-2.01-11.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-2.01-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-chinese-simplified-2.01-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-chinese-traditional-2.01-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-japanese-2.01-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-korean-2.01-11.4.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/xpdf-2.03-1.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/xpdf-2.03-1.4.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/xpdf-3.00-3.8.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/xpdf-3.00-3.8.1.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/xpdf-3.01-0.FC3.5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/xpdf-3.01-0.FC3.5.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/xpdf-3.01-0.FC3.5.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 6096aa2b487e635ae3003cf246ec66d53dc81d41 redhat/7.3/updates/i386/xpdf-1.00-7.6.legacy.i386.rpm e670899dd04a31d466d0ba2cc213763157a3b101 redhat/7.3/updates/i386/xpdf-chinese-simplified-1.00-7.6.legacy.i386.rpm c636a2b79eb22afe35993466675e9fdd086a84f2 redhat/7.3/updates/i386/xpdf-chinese-traditional-1.00-7.6.legacy.i386.rpm 9a2bfe9e373cd20422a862f48d3d6ad787b7f0f1 redhat/7.3/updates/i386/xpdf-japanese-1.00-7.6.legacy.i386.rpm bc47f11dea342606e74aff1a55cf74bd52783b60 redhat/7.3/updates/i386/xpdf-korean-1.00-7.6.legacy.i386.rpm ace7a51b625269d9f5bd3355b07a842f0e1426f4 redhat/7.3/updates/SRPMS/xpdf-1.00-7.6.legacy.src.rpm 4fe0714cdf2194cf0426e15210cbe509d77b2788 redhat/9/updates/i386/xpdf-2.01-11.4.legacy.i386.rpm c54fad904f475d693c781632dbadfae9434e4c87 redhat/9/updates/i386/xpdf-chinese-simplified-2.01-11.4.legacy.i386.rpm 1b6f0cf3f309515fd60b88576a1168f9d9bc7fe0 redhat/9/updates/i386/xpdf-chinese-traditional-2.01-11.4.legacy.i386.rpm accef6df9ed9b1cee0e05fffa7e7dde085ae3f35 redhat/9/updates/i386/xpdf-japanese-2.01-11.4.legacy.i386.rpm 69a7ae59cb1ddb5b422eccdec53711f459939c3f redhat/9/updates/i386/xpdf-korean-2.01-11.4.legacy.i386.rpm 090ddacf36dc0180c16cef8526aedc9bb9c5225c redhat/9/updates/SRPMS/xpdf-2.01-11.4.legacy.src.rpm 0349626a79f659adc0590938b99a6097f6898f10 fedora/1/updates/i386/xpdf-2.03-1.4.legacy.i386.rpm 8612ba60a89cfb0ef195450d1c927487b868deec fedora/1/updates/SRPMS/xpdf-2.03-1.4.legacy.src.rpm f60fc20854386ef91f6769aabd29f3a77e29084d fedora/2/updates/i386/xpdf-3.00-3.8.1.legacy.i386.rpm 64139c039afc0af67eadcc8c87e03aed6c6254d0 fedora/2/updates/SRPMS/xpdf-3.00-3.8.1.legacy.src.rpm 268cba4fb5fd62699595cdeed78375f324c874f6 fedora/3/updates/i386/xpdf-3.01-0.FC3.5.legacy.i386.rpm 021ec4bb4d86192a519261b3073a3d348e4fa14a fedora/3/updates/x86_64/xpdf-3.01-0.FC3.5.legacy.x86_64.rpm 3e139055107af9057062154add60191331765e43 fedora/3/updates/SRPMS/xpdf-3.01-0.FC3.5.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list