kdegraphics security update

Advisory:	RHSA-2005:021-09
Type:	Security Advisory
Severity:	Moderate
Issued on:	2005-04-12
Last updated on:	2005-04-12
Affected Products:	Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
CVEs (cve.mitre.org):	CVE-2004-0803 CVE-2004-0804 CVE-2004-0886 CVE-2004-1307 CVE-2004-1308

Details

Updated kdegraphics packages that resolve multiple security issues in kfax
are now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team

The kdegraphics package contains graphics applications for the K Desktop
Environment.

During a source code audit, Chris Evans discovered a number of integer
overflow bugs that affect libtiff. The kfax application contains a copy of
the libtiff code used for parsing TIFF files and is therefore affected by
these bugs. An attacker who has the ability to trick a user into opening a
malicious TIFF file could cause kfax to crash or possibly execute arbitrary
code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CAN-2004-0886 and CAN-2004-0804 to these issues.

Additionally, a number of buffer overflow bugs that affect libtiff have
been found. The kfax application contains a copy of the libtiff code used
for parsing TIFF files and is therefore affected by these bugs. An attacker
who has the ability to trick a user into opening a malicious TIFF file
could cause kfax to crash or possibly execute arbitrary code. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0803 to this issue.

Users of kfax should upgrade to these updated packages, which contain
backported patches and are not vulnerable to this issue.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Updated packages

Red Hat Desktop (v. 3)

SRPMS:
kdegraphics-3.1.3-3.7.src.rpm File outdated by: RHBA-2007:0453	`MD5: 098d4365a90e1ecd3fa326b4eaeafdf9`

IA-32:
kdegraphics-3.1.3-3.7.i386.rpm File outdated by: RHBA-2007:0453	`MD5: a768939d2774477968e5bc9016455788`
kdegraphics-devel-3.1.3-3.7.i386.rpm File outdated by: RHBA-2007:0453	`MD5: 2e4a2609ea06483c8636f375a2d93de3`

x86_64:
kdegraphics-3.1.3-3.7.x86_64.rpm File outdated by: RHBA-2007:0453	`MD5: 4a9b219edbf5739ccdd46b78070098cc`
kdegraphics-devel-3.1.3-3.7.x86_64.rpm File outdated by: RHBA-2007:0453	`MD5: 93f19316014856fc2fddf27c245363ec`

Red Hat Enterprise Linux AS (v. 2.1)

IA-32:
kdegraphics-2.2.2-4.3.i386.rpm File outdated by: RHSA-2006:0648	`MD5: 7981553ce8dc8008f4082ec508d9c81b`
kdegraphics-devel-2.2.2-4.3.i386.rpm File outdated by: RHSA-2006:0648	`MD5: ca21293d2cc1c94fed9cd80a657ccfcf`

IA-64:
kdegraphics-2.2.2-4.3.ia64.rpm File outdated by: RHSA-2006:0648	`MD5: 3e5155a70b34ac63d2e8f78c36227c03`
kdegraphics-devel-2.2.2-4.3.ia64.rpm File outdated by: RHSA-2006:0648	`MD5: 9048cccb8784a8fb03fea0be1c378c68`

Red Hat Enterprise Linux AS (v. 3)

SRPMS:
kdegraphics-3.1.3-3.7.src.rpm File outdated by: RHBA-2007:0453	`MD5: 098d4365a90e1ecd3fa326b4eaeafdf9`

IA-32:
kdegraphics-3.1.3-3.7.i386.rpm File outdated by: RHBA-2007:0453	`MD5: a768939d2774477968e5bc9016455788`
kdegraphics-devel-3.1.3-3.7.i386.rpm File outdated by: RHBA-2007:0453	`MD5: 2e4a2609ea06483c8636f375a2d93de3`

IA-64:
kdegraphics-3.1.3-3.7.ia64.rpm File outdated by: RHBA-2007:0453	`MD5: 34eae83f27922303b9c286a21f881c75`
kdegraphics-devel-3.1.3-3.7.ia64.rpm File outdated by: RHBA-2007:0453	`MD5: 37895d0ebd1a73d2b98fe400cf1af084`

PPC:
kdegraphics-3.1.3-3.7.ppc.rpm File outdated by: RHBA-2007:0453	`MD5: 175a1cbb8a9301399e8b8392429f16b1`
kdegraphics-devel-3.1.3-3.7.ppc.rpm File outdated by: RHBA-2007:0453	`MD5: a5a416457f1b3f528853f1912aab9d5c`

s390:
kdegraphics-3.1.3-3.7.s390.rpm File outdated by: RHBA-2007:0453	`MD5: 5901640cbf50090ee322bd9344118178`
kdegraphics-devel-3.1.3-3.7.s390.rpm File outdated by: RHBA-2007:0453	`MD5: 04c4183f594689db2f249b4a15334e36`

s390x:
kdegraphics-3.1.3-3.7.s390x.rpm File outdated by: RHBA-2007:0453	`MD5: af23175c04e0f09065f40a868a1ba64a`
kdegraphics-devel-3.1.3-3.7.s390x.rpm File outdated by: RHBA-2007:0453	`MD5: 2fe972d585215ebc13ac99d5c12941d4`

x86_64:
kdegraphics-3.1.3-3.7.x86_64.rpm File outdated by: RHBA-2007:0453	`MD5: 4a9b219edbf5739ccdd46b78070098cc`
kdegraphics-devel-3.1.3-3.7.x86_64.rpm File outdated by: RHBA-2007:0453	`MD5: 93f19316014856fc2fddf27c245363ec`

Red Hat Enterprise Linux ES (v. 2.1)

IA-32:
kdegraphics-2.2.2-4.3.i386.rpm File outdated by: RHSA-2006:0648	`MD5: 7981553ce8dc8008f4082ec508d9c81b`
kdegraphics-devel-2.2.2-4.3.i386.rpm File outdated by: RHSA-2006:0648	`MD5: ca21293d2cc1c94fed9cd80a657ccfcf`

Red Hat Enterprise Linux ES (v. 3)

SRPMS:
kdegraphics-3.1.3-3.7.src.rpm File outdated by: RHBA-2007:0453	`MD5: 098d4365a90e1ecd3fa326b4eaeafdf9`

IA-32:
kdegraphics-3.1.3-3.7.i386.rpm File outdated by: RHBA-2007:0453	`MD5: a768939d2774477968e5bc9016455788`
kdegraphics-devel-3.1.3-3.7.i386.rpm File outdated by: RHBA-2007:0453	`MD5: 2e4a2609ea06483c8636f375a2d93de3`

IA-64:
kdegraphics-3.1.3-3.7.ia64.rpm File outdated by: RHBA-2007:0453	`MD5: 34eae83f27922303b9c286a21f881c75`
kdegraphics-devel-3.1.3-3.7.ia64.rpm File outdated by: RHBA-2007:0453	`MD5: 37895d0ebd1a73d2b98fe400cf1af084`

x86_64:
kdegraphics-3.1.3-3.7.x86_64.rpm File outdated by: RHBA-2007:0453	`MD5: 4a9b219edbf5739ccdd46b78070098cc`
kdegraphics-devel-3.1.3-3.7.x86_64.rpm File outdated by: RHBA-2007:0453	`MD5: 93f19316014856fc2fddf27c245363ec`

Red Hat Enterprise Linux WS (v. 2.1)

IA-32:
kdegraphics-2.2.2-4.3.i386.rpm File outdated by: RHSA-2006:0648	`MD5: 7981553ce8dc8008f4082ec508d9c81b`
kdegraphics-devel-2.2.2-4.3.i386.rpm File outdated by: RHSA-2006:0648	`MD5: ca21293d2cc1c94fed9cd80a657ccfcf`

Red Hat Enterprise Linux WS (v. 3)

SRPMS:
kdegraphics-3.1.3-3.7.src.rpm File outdated by: RHBA-2007:0453	`MD5: 098d4365a90e1ecd3fa326b4eaeafdf9`

IA-32:
kdegraphics-3.1.3-3.7.i386.rpm File outdated by: RHBA-2007:0453	`MD5: a768939d2774477968e5bc9016455788`
kdegraphics-devel-3.1.3-3.7.i386.rpm File outdated by: RHBA-2007:0453	`MD5: 2e4a2609ea06483c8636f375a2d93de3`

IA-64:
kdegraphics-3.1.3-3.7.ia64.rpm File outdated by: RHBA-2007:0453	`MD5: 34eae83f27922303b9c286a21f881c75`
kdegraphics-devel-3.1.3-3.7.ia64.rpm File outdated by: RHBA-2007:0453	`MD5: 37895d0ebd1a73d2b98fe400cf1af084`

x86_64:
kdegraphics-3.1.3-3.7.x86_64.rpm File outdated by: RHBA-2007:0453	`MD5: 4a9b219edbf5739ccdd46b78070098cc`
kdegraphics-devel-3.1.3-3.7.x86_64.rpm File outdated by: RHBA-2007:0453	`MD5: 93f19316014856fc2fddf27c245363ec`

Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor

IA-64:
kdegraphics-2.2.2-4.3.ia64.rpm File outdated by: RHSA-2006:0648	`MD5: 3e5155a70b34ac63d2e8f78c36227c03`
kdegraphics-devel-2.2.2-4.3.ia64.rpm File outdated by: RHSA-2006:0648	`MD5: 9048cccb8784a8fb03fea0be1c378c68`

Bugs fixed (see bugzilla for more information)

135466 - CAN-2004-0803 buffer overflows in libtiff
135470 - CAN-2004-0886 multiple integer overflows in libtiff

References

https://www.redhat.com/security/data/cve/CVE-2004-0803.html
https://www.redhat.com/security/data/cve/CVE-2004-0804.html
https://www.redhat.com/security/data/cve/CVE-2004-0886.html
https://www.redhat.com/security/data/cve/CVE-2004-1307.html
https://www.redhat.com/security/data/cve/CVE-2004-1308.html

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package