Security Advisory New imlib packages available

Advisory: RHSA-2002:048-14
Type: Security Advisory
Severity: N/A
Issued on: 2002-03-15
Last updated on: 2002-05-16
Affected Products: Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
OVAL: N/A
CVEs (cve.mitre.org): CVE-2002-0167
CVE-2002-0168

Details

Updated imlib packages are now available for Red Hat Linux 6.2, 7,
7.1 and 7.2 which fix potential problems loading untrusted images.

Imlib versions prior to 1.9.13 would fall back to loading images
via the NetPBM package, which has various problems making it
unsuitable for loading untrusted images. Imlib 1.9.13 also fixes
various problems in arguments passed to malloc().

These problems may allow attackers to construct images that,
when loaded by a viewer using Imlib, could cause crashes
or potentially the execution of arbitrary code.

Users are advised to upgrade to these errata packages, which
contain Imlib 1.9.13.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CAN-2002-0167, CAN-2002-0168 to these issues.

[update May 16 2002]
The previous release of this errata fixed the aforementioned security
problems but had a file descriptor leak and a bug which would cause some
applications (such as the Enlightenment window manager) to hang. These
updated packages fix these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 6.2
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/imlib-1.9.13-3.6.x.src.rpm
Missing file		     cef433f2ca3991ed5d1fcdb438875c87
 
Alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/imlib-1.9.13-3.6.x.alpha.rpm
Missing file		     6c81098c2bd8aecee5925b5c9563059e
ftp://updates.redhat.com/6.2/en/os/alpha/imlib-cfgeditor-1.9.13-3.6.x.alpha.rpm
Missing file		     ef708eefba53428a89b098918fc1f5c9
ftp://updates.redhat.com/6.2/en/os/alpha/imlib-devel-1.9.13-3.6.x.alpha.rpm
Missing file		     8bd564b9ca3cb563cb91b215d06245e2
 
IA-32:
ftp://updates.redhat.com/6.2/en/os/i386/imlib-1.9.13-3.6.x.i386.rpm
Missing file		     00d2f77314756d322c38e41256d8f75a
ftp://updates.redhat.com/6.2/en/os/i386/imlib-cfgeditor-1.9.13-3.6.x.i386.rpm
Missing file		     56dc49765986868bedb48c63e03115bf
ftp://updates.redhat.com/6.2/en/os/i386/imlib-devel-1.9.13-3.6.x.i386.rpm
Missing file		     502d88a9108b35b7ab5a5192695804cf
 
Sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/imlib-1.9.13-3.6.x.sparc.rpm
Missing file		     5c0c100d96f3bf90c83e76c21e56578c
ftp://updates.redhat.com/6.2/en/os/sparc/imlib-cfgeditor-1.9.13-3.6.x.sparc.rpm
Missing file		     3dfe831694c5f86b811215415b4b4323
ftp://updates.redhat.com/6.2/en/os/sparc/imlib-devel-1.9.13-3.6.x.sparc.rpm
Missing file		     6ac62d5fcfe5e0113b91926f6234752f
 
Red Hat Linux 7.0
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/imlib-1.9.13-3.7.x.src.rpm
Missing file		     9a9530aaa5147d4575a9e0dd44e06562
 
Alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/imlib-1.9.13-3.7.x.alpha.rpm
Missing file		     1e998967df3844a776ee3c807d1f1470
ftp://updates.redhat.com/7.0/en/os/alpha/imlib-cfgeditor-1.9.13-3.7.x.alpha.rpm
Missing file		     1c601a7c31b843a13fc0e62fa5a5b7c7
ftp://updates.redhat.com/7.0/en/os/alpha/imlib-devel-1.9.13-3.7.x.alpha.rpm
Missing file		     ce5c342b5b634ab9396ad4cda5a6cbc5
 
IA-32:
ftp://updates.redhat.com/7.0/en/os/i386/imlib-1.9.13-3.7.x.i386.rpm
Missing file		     e9061205148e88c2c538063b2b37ecb5
ftp://updates.redhat.com/7.0/en/os/i386/imlib-cfgeditor-1.9.13-3.7.x.i386.rpm
Missing file		     0479502bf31bbc04591615665a1f5dc9
ftp://updates.redhat.com/7.0/en/os/i386/imlib-devel-1.9.13-3.7.x.i386.rpm
Missing file		     bf3443746edff3b908233f832484f71d
 
Red Hat Linux 7.1
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/imlib-1.9.13-3.7.x.src.rpm
Missing file		     9a9530aaa5147d4575a9e0dd44e06562
 
Alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/imlib-1.9.13-3.7.x.alpha.rpm
Missing file		     1e998967df3844a776ee3c807d1f1470
ftp://updates.redhat.com/7.1/en/os/alpha/imlib-cfgeditor-1.9.13-3.7.x.alpha.rpm
Missing file		     1c601a7c31b843a13fc0e62fa5a5b7c7
ftp://updates.redhat.com/7.1/en/os/alpha/imlib-devel-1.9.13-3.7.x.alpha.rpm
Missing file		     ce5c342b5b634ab9396ad4cda5a6cbc5
 
IA-32:
ftp://updates.redhat.com/7.1/en/os/i386/imlib-1.9.13-3.7.x.i386.rpm
Missing file		     e9061205148e88c2c538063b2b37ecb5
ftp://updates.redhat.com/7.1/en/os/i386/imlib-cfgeditor-1.9.13-3.7.x.i386.rpm
Missing file		     0479502bf31bbc04591615665a1f5dc9
ftp://updates.redhat.com/7.1/en/os/i386/imlib-devel-1.9.13-3.7.x.i386.rpm
Missing file		     bf3443746edff3b908233f832484f71d
 
IA-64:
ftp://updates.redhat.com/7.1/en/os/ia64/imlib-1.9.13-3.7.x.ia64.rpm
Missing file		     d96b563627807679e21fb1c258d73c49
ftp://updates.redhat.com/7.1/en/os/ia64/imlib-cfgeditor-1.9.13-3.7.x.ia64.rpm
Missing file		     f3878855b0407210ab275aeda1190b3f
ftp://updates.redhat.com/7.1/en/os/ia64/imlib-devel-1.9.13-3.7.x.ia64.rpm
Missing file		     a2cce110cf38d3385cad931cd727a34e
 
Red Hat Linux 7.2
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/imlib-1.9.13-3.7.x.src.rpm
Missing file		     9a9530aaa5147d4575a9e0dd44e06562
 
IA-32:
ftp://updates.redhat.com/7.2/en/os/i386/imlib-1.9.13-3.7.x.i386.rpm
Missing file		     e9061205148e88c2c538063b2b37ecb5
ftp://updates.redhat.com/7.2/en/os/i386/imlib-cfgeditor-1.9.13-3.7.x.i386.rpm
Missing file		     0479502bf31bbc04591615665a1f5dc9
ftp://updates.redhat.com/7.2/en/os/i386/imlib-devel-1.9.13-3.7.x.i386.rpm
Missing file		     bf3443746edff3b908233f832484f71d
 
IA-64:
ftp://updates.redhat.com/7.2/en/os/ia64/imlib-1.9.13-3.7.x.ia64.rpm
Missing file		     d96b563627807679e21fb1c258d73c49
ftp://updates.redhat.com/7.2/en/os/ia64/imlib-cfgeditor-1.9.13-3.7.x.ia64.rpm
Missing file		     f3878855b0407210ab275aeda1190b3f
ftp://updates.redhat.com/7.2/en/os/ia64/imlib-devel-1.9.13-3.7.x.ia64.rpm
Missing file		     a2cce110cf38d3385cad931cd727a34e
 

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0168

Keywords

image, imlib, netpbm, untrusted

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/