Skip to navigation

Security Advisory gtk2 security update

Advisory: RHSA-2004:466-12
Type: Security Advisory
Severity: Important
Issued on: 2004-09-15
Last updated on: 2004-09-15
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
CVEs (cve.mitre.org): CVE-2004-0753
CVE-2004-0782
CVE-2004-0783
CVE-2004-0788

Details

Updated gtk2 packages that fix several security flaws and bugs are now
available.

The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating
graphical user interfaces for the X Window System.

During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was
discovered in the BMP image processor of gtk2. An attacker could create a
carefully crafted BMP file which would cause an application to enter an
infinite loop and not respond to user input when the file was opened by a
victim. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0753 to this issue.

During a security audit Chris Evans discovered a stack and a heap overflow
in the XPM image decoder. An attacker could create a carefully crafted XPM
file which could cause an application linked with gtk2 to crash or possibly
execute arbitrary code when the file was opened by a victim.
(CAN-2004-0782, CAN-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image decoder.
An attacker could create a carefully crafted ICO file which could cause an
application linked with gtk2 to crash when the file was opened by a victim.
(CAN-2004-0788)

This updated gtk2 package also fixes a few key combination bugs on various
X servers, such as Hummingbird, ReflectionX, and X-Win32. If a server was
configured to use the Swiss German, Swiss French, or France French keyboard
layouts, Mode_Switched characters were unable to be entered within GTK
based applications.

Users of gtk2 are advised to upgrade to these packages which contain
backported patches and are not vulnerable to these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Updated packages

Red Hat Desktop (v. 3)

IA-32:
gtk2-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 37607c300bef5d9dd9858474031f582c
gtk2-devel-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 2d0c1fe11fc0a9a165debb0cbac24b4e
 
x86_64:
gtk2-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 37607c300bef5d9dd9858474031f582c
gtk2-2.2.4-8.1.x86_64.rpm
File outdated by:  RHSA-2005:811
    MD5: 7c5c8d7447e340310576c2909985268c
gtk2-devel-2.2.4-8.1.x86_64.rpm
File outdated by:  RHSA-2005:811
    MD5: 8ebd7aea9fe419a1e60c1405fae01f5a
 
Red Hat Enterprise Linux AS (v. 3)

IA-32:
gtk2-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 37607c300bef5d9dd9858474031f582c
gtk2-devel-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 2d0c1fe11fc0a9a165debb0cbac24b4e
 
IA-64:
gtk2-2.2.4-8.1.ia64.rpm
File outdated by:  RHSA-2005:811
    MD5: b3b57ef2a9b4c577cad9639fd194db14
gtk2-devel-2.2.4-8.1.ia64.rpm
File outdated by:  RHSA-2005:811
    MD5: cf89006e9943f4b23aeb7a410c91c542
 
PPC:
gtk2-2.2.4-8.1.ppc.rpm
File outdated by:  RHSA-2005:811
    MD5: 766df9da1dca48a5f110dc96b9c29015
gtk2-devel-2.2.4-8.1.ppc.rpm
File outdated by:  RHSA-2005:811
    MD5: eadbbab509000019eae608a8748cfbde
 
s390:
gtk2-2.2.4-8.1.s390.rpm
File outdated by:  RHSA-2005:811
    MD5: a3692edac044b25e4c8c2012437888e7
gtk2-devel-2.2.4-8.1.s390.rpm
File outdated by:  RHSA-2005:811
    MD5: f1821966b229cd61264b9af61fafdb88
 
s390x:
gtk2-2.2.4-8.1.s390x.rpm
File outdated by:  RHSA-2005:811
    MD5: e45909f903fc90707ef451051d31853c
gtk2-devel-2.2.4-8.1.s390x.rpm
File outdated by:  RHSA-2005:811
    MD5: 4190a6fdeed17fe104def7551c1ea51e
 
x86_64:
gtk2-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 37607c300bef5d9dd9858474031f582c
gtk2-2.2.4-8.1.x86_64.rpm
File outdated by:  RHSA-2005:811
    MD5: 7c5c8d7447e340310576c2909985268c
gtk2-devel-2.2.4-8.1.x86_64.rpm
File outdated by:  RHSA-2005:811
    MD5: 8ebd7aea9fe419a1e60c1405fae01f5a
 
Red Hat Enterprise Linux ES (v. 3)

IA-32:
gtk2-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 37607c300bef5d9dd9858474031f582c
gtk2-devel-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 2d0c1fe11fc0a9a165debb0cbac24b4e
 
IA-64:
gtk2-2.2.4-8.1.ia64.rpm
File outdated by:  RHSA-2005:811
    MD5: b3b57ef2a9b4c577cad9639fd194db14
gtk2-devel-2.2.4-8.1.ia64.rpm
File outdated by:  RHSA-2005:811
    MD5: cf89006e9943f4b23aeb7a410c91c542
 
x86_64:
gtk2-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 37607c300bef5d9dd9858474031f582c
gtk2-2.2.4-8.1.x86_64.rpm
File outdated by:  RHSA-2005:811
    MD5: 7c5c8d7447e340310576c2909985268c
gtk2-devel-2.2.4-8.1.x86_64.rpm
File outdated by:  RHSA-2005:811
    MD5: 8ebd7aea9fe419a1e60c1405fae01f5a
 
Red Hat Enterprise Linux WS (v. 3)

IA-32:
gtk2-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 37607c300bef5d9dd9858474031f582c
gtk2-devel-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 2d0c1fe11fc0a9a165debb0cbac24b4e
 
IA-64:
gtk2-2.2.4-8.1.ia64.rpm
File outdated by:  RHSA-2005:811
    MD5: b3b57ef2a9b4c577cad9639fd194db14
gtk2-devel-2.2.4-8.1.ia64.rpm
File outdated by:  RHSA-2005:811
    MD5: cf89006e9943f4b23aeb7a410c91c542
 
x86_64:
gtk2-2.2.4-8.1.i386.rpm
File outdated by:  RHSA-2005:811
    MD5: 37607c300bef5d9dd9858474031f582c
gtk2-2.2.4-8.1.x86_64.rpm
File outdated by:  RHSA-2005:811
    MD5: 7c5c8d7447e340310576c2909985268c
gtk2-devel-2.2.4-8.1.x86_64.rpm
File outdated by:  RHSA-2005:811
    MD5: 8ebd7aea9fe419a1e60c1405fae01f5a
 

Bugs fixed (see bugzilla for more information)

130450 - CAN-2004-0753 bmp image loader DOS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/