-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:317 http://www.mandriva.com/security/ _______________________________________________________________________ Package : netpbm Date : December 5, 2009 Affected: 2008.0 _______________________________________________________________________ Problem Description: Multiple security vulnerabilities has been identified and fixed in netpbm: Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation (CVE-2008-3520). Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (CVE-2008-3522). pamperspective in Netpbm before 10.35.48 does not properly calculate a window height, which allows context-dependent attackers to cause a denial of service (crash) via a crafted image file that triggers an out-of-bounds read (CVE-2008-4799). Packages for 2008.0 are being provided due to extended support for Corporate products. This update fixes this vulnerability. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4799 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 7b0e45d3f024f928bf5efef1523d2bdc 2008.0/i586/libnetpbm10-10.34-8.2mdv2008.0.i586.rpm 1429258b5054e99c9bcf17627ad84ff5 2008.0/i586/libnetpbm-devel-10.34-8.2mdv2008.0.i586.rpm d8a371066d668d750e0d5013b11a5bc4 2008.0/i586/libnetpbm-static-devel-10.34-8.2mdv2008.0.i586.rpm a89f33b6a389d50260acd1fa998a5c6f 2008.0/i586/netpbm-10.34-8.2mdv2008.0.i586.rpm 5a12f1cb9aec58e40d4bddaa4f08495a 2008.0/SRPMS/netpbm-10.34-8.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 53601f6261a9135bcd1bc2fd02f1569d 2008.0/x86_64/lib64netpbm10-10.34-8.2mdv2008.0.x86_64.rpm b8c2205ef64eebf42ae191fcb806523a 2008.0/x86_64/lib64netpbm-devel-10.34-8.2mdv2008.0.x86_64.rpm db3819cfc6341148161d3ee6c0301067 2008.0/x86_64/lib64netpbm-static-devel-10.34-8.2mdv2008.0.x86_64.rpm 6d85ae6f25d97c8defa9891d63721956 2008.0/x86_64/netpbm-10.34-8.2mdv2008.0.x86_64.rpm 5a12f1cb9aec58e40d4bddaa4f08495a 2008.0/SRPMS/netpbm-10.34-8.2mdv2008.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLGm0dmqjQ0CJFipgRAoWXAJ9sNYf/5SW2JDn/IkfFr680jvpepQCeO00H L+FqAtosGOrP8RcK4oi20EU= =6kqK -----END PGP SIGNATURE-----
