Security Advisory Low: w3c-libwww security and bug fix update

Advisory: RHSA-2007:0208-7
Type: Security Advisory
Severity: Low
Issued on: 2007-05-01
Last updated on: 2007-05-01
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20070208.xml
CVEs (cve.mitre.org): CVE-2005-3183

Details

Updated w3c-libwww packages that fix a security issue and a bug are now
available.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

w3c-libwww is a general-purpose web library.

Several buffer overflow flaws in w3c-libwww were found. If a client
application that uses w3c-libwww connected to a malicious HTTP server, it
could trigger an out of bounds memory access, causing the client
application to crash (CVE-2005-3183).

This updated version of w3c-libwww also fixes an issue when computing MD5
sums on a 64 bit machine.

Users of w3c-libwww should upgrade to these updated packages, which contain
backported patches to correct these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Desktop (v. 4)
SRPMS:
w3c-libwww-5.4.0-10.1.RHEL4.2.src.rpm     f5c93edc9bd1a7543d617a412a391ca2
 
IA-32:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.i386.rpm     e992c6ad896a93590ae4ab02b861bf72
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.i386.rpm     86ec9f9c056f6cc6405b1fa7dfa62d47
 
x86_64:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-5.4.0-10.1.RHEL4.2.x86_64.rpm     313ef638f3107724fb43814ab7bca32c
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.x86_64.rpm     74e2e34acb1fdd4d0b2fda8b45db506c
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.x86_64.rpm     eebdfad543cc4ee56a15a6f928c833f6
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
w3c-libwww-5.4.0-10.1.RHEL4.2.src.rpm     f5c93edc9bd1a7543d617a412a391ca2
 
IA-32:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.i386.rpm     e992c6ad896a93590ae4ab02b861bf72
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.i386.rpm     86ec9f9c056f6cc6405b1fa7dfa62d47
 
IA-64:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-5.4.0-10.1.RHEL4.2.ia64.rpm     363e79315dbac0a85f48848cc6d7d582
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.ia64.rpm     55c54d4dbc71f571d9445d1ef787fed8
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.ia64.rpm     8f70d61a913814b945ee01cd9b1aef97
 
PPC:
w3c-libwww-5.4.0-10.1.RHEL4.2.ppc.rpm     e20415ead6919058b5e0792e7f038201
w3c-libwww-5.4.0-10.1.RHEL4.2.ppc64.rpm     54e29e788248fba9c1a1b1a21468de37
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.ppc.rpm     6718eb3dc7804724e7d2c48f1f29b66b
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.ppc.rpm     b4babec6d53b2d34db31be94e0dbfb26
 
s390:
w3c-libwww-5.4.0-10.1.RHEL4.2.s390.rpm     ba843212e12261ad439c9703a33f3ed6
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.s390.rpm     5e6d19c48b5a5ffae7048ccab6d68d06
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.s390.rpm     2a2f963f31a9920b4577e4ce7ab39e3c
 
s390x:
w3c-libwww-5.4.0-10.1.RHEL4.2.s390.rpm     ba843212e12261ad439c9703a33f3ed6
w3c-libwww-5.4.0-10.1.RHEL4.2.s390x.rpm     ebd676d4cbc19756aabf06ba6537262c
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.s390x.rpm     dc750df9eb1e58bb0887e4969e3d7a8d
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.s390x.rpm     68054495a7e29a855f85b83bac370e57
 
x86_64:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-5.4.0-10.1.RHEL4.2.x86_64.rpm     313ef638f3107724fb43814ab7bca32c
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.x86_64.rpm     74e2e34acb1fdd4d0b2fda8b45db506c
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.x86_64.rpm     eebdfad543cc4ee56a15a6f928c833f6
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
w3c-libwww-5.4.0-10.1.RHEL4.2.src.rpm     f5c93edc9bd1a7543d617a412a391ca2
 
IA-32:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.i386.rpm     e992c6ad896a93590ae4ab02b861bf72
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.i386.rpm     86ec9f9c056f6cc6405b1fa7dfa62d47
 
IA-64:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-5.4.0-10.1.RHEL4.2.ia64.rpm     363e79315dbac0a85f48848cc6d7d582
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.ia64.rpm     55c54d4dbc71f571d9445d1ef787fed8
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.ia64.rpm     8f70d61a913814b945ee01cd9b1aef97
 
x86_64:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-5.4.0-10.1.RHEL4.2.x86_64.rpm     313ef638f3107724fb43814ab7bca32c
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.x86_64.rpm     74e2e34acb1fdd4d0b2fda8b45db506c
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.x86_64.rpm     eebdfad543cc4ee56a15a6f928c833f6
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
w3c-libwww-5.4.0-10.1.RHEL4.2.src.rpm     f5c93edc9bd1a7543d617a412a391ca2
 
IA-32:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.i386.rpm     e992c6ad896a93590ae4ab02b861bf72
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.i386.rpm     86ec9f9c056f6cc6405b1fa7dfa62d47
 
IA-64:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-5.4.0-10.1.RHEL4.2.ia64.rpm     363e79315dbac0a85f48848cc6d7d582
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.ia64.rpm     55c54d4dbc71f571d9445d1ef787fed8
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.ia64.rpm     8f70d61a913814b945ee01cd9b1aef97
 
x86_64:
w3c-libwww-5.4.0-10.1.RHEL4.2.i386.rpm     449772ace23168b1490fbd57ba093861
w3c-libwww-5.4.0-10.1.RHEL4.2.x86_64.rpm     313ef638f3107724fb43814ab7bca32c
w3c-libwww-apps-5.4.0-10.1.RHEL4.2.x86_64.rpm     74e2e34acb1fdd4d0b2fda8b45db506c
w3c-libwww-devel-5.4.0-10.1.RHEL4.2.x86_64.rpm     eebdfad543cc4ee56a15a6f928c833f6
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

163664 - /usr/lib64/libmd5.so is broken.
169495 - CVE-2005-3183 Multiple bugs in libwww - one exploitable - in Library/src/HTBound.c


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3183
http://www.redhat.com/security/updates/classification/#low

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/