---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated gtk2 packages fix security flaws and bugs
Advisory ID:       RHSA-2004:466-01
Issue date:        2004-09-15
Updated on:        2004-09-15
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
---------------------------------------------------------------------

1. Summary:

Updated gtk2 packages that fix several security flaws and bugs are now
available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating
graphical user interfaces for the X Window System.

During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was
discovered in the BMP image processor of gtk2.  An attacker could create a
carefully crafted BMP file which would cause an application to enter an
infinite loop and not respond to user input when the file was opened by a
victim.  The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0753 to this issue.

During a security audit Chris Evans discovered a stack and a heap overflow
in the XPM image decoder.  An attacker could create a carefully crafted XPM
file which could cause an application linked with gtk2 to crash or possibly
execute arbitrary code when the file was opened by a victim.
(CAN-2004-0782, CAN-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image decoder.
An attacker could create a carefully crafted ICO file which could cause an
application linked with gtk2 to crash when the file was opened by a victim.
(CAN-2004-0788)

This updated gtk2 package also fixes a few key combination bugs on various
X servers, such as Hummingbird, ReflectionX, and X-Win32. If a server was
configured to use the Swiss German, Swiss French, or France French keyboard
layouts, Mode_Switched characters were unable to be entered within GTK
based applications.

Users of gtk2 are advised to upgrade to these packages which contain
backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

     http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed  (http://bugzilla.redhat.com/ for more info):

130450 - CAN-2004-0753 bmp image loader DOS

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS: 

6ac62a2aeab6c7a99ff4b3a657530f89  gtk2-2.2.4-8.1.src.rpm

i386:
37607c300bef5d9dd9858474031f582c  gtk2-2.2.4-8.1.i386.rpm
2d0c1fe11fc0a9a165debb0cbac24b4e  gtk2-devel-2.2.4-8.1.i386.rpm

ia64:
b3b57ef2a9b4c577cad9639fd194db14  gtk2-2.2.4-8.1.ia64.rpm
cf89006e9943f4b23aeb7a410c91c542  gtk2-devel-2.2.4-8.1.ia64.rpm

ppc:
766df9da1dca48a5f110dc96b9c29015  gtk2-2.2.4-8.1.ppc.rpm
eadbbab509000019eae608a8748cfbde  gtk2-devel-2.2.4-8.1.ppc.rpm

s390:
a3692edac044b25e4c8c2012437888e7  gtk2-2.2.4-8.1.s390.rpm
f1821966b229cd61264b9af61fafdb88  gtk2-devel-2.2.4-8.1.s390.rpm

s390x:
e45909f903fc90707ef451051d31853c  gtk2-2.2.4-8.1.s390x.rpm
4190a6fdeed17fe104def7551c1ea51e  gtk2-devel-2.2.4-8.1.s390x.rpm

x86_64:
7c5c8d7447e340310576c2909985268c  gtk2-2.2.4-8.1.x86_64.rpm
37607c300bef5d9dd9858474031f582c  gtk2-2.2.4-8.1.i386.rpm
8ebd7aea9fe419a1e60c1405fae01f5a  gtk2-devel-2.2.4-8.1.x86_64.rpm

Red Hat Desktop version 3:

SRPMS: 

6ac62a2aeab6c7a99ff4b3a657530f89  gtk2-2.2.4-8.1.src.rpm

i386:
37607c300bef5d9dd9858474031f582c  gtk2-2.2.4-8.1.i386.rpm
2d0c1fe11fc0a9a165debb0cbac24b4e  gtk2-devel-2.2.4-8.1.i386.rpm

x86_64:
7c5c8d7447e340310576c2909985268c  gtk2-2.2.4-8.1.x86_64.rpm
37607c300bef5d9dd9858474031f582c  gtk2-2.2.4-8.1.i386.rpm
8ebd7aea9fe419a1e60c1405fae01f5a  gtk2-devel-2.2.4-8.1.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS: 

6ac62a2aeab6c7a99ff4b3a657530f89  gtk2-2.2.4-8.1.src.rpm

i386:
37607c300bef5d9dd9858474031f582c  gtk2-2.2.4-8.1.i386.rpm
2d0c1fe11fc0a9a165debb0cbac24b4e  gtk2-devel-2.2.4-8.1.i386.rpm

ia64:
b3b57ef2a9b4c577cad9639fd194db14  gtk2-2.2.4-8.1.ia64.rpm
cf89006e9943f4b23aeb7a410c91c542  gtk2-devel-2.2.4-8.1.ia64.rpm

x86_64:
7c5c8d7447e340310576c2909985268c  gtk2-2.2.4-8.1.x86_64.rpm
37607c300bef5d9dd9858474031f582c  gtk2-2.2.4-8.1.i386.rpm
8ebd7aea9fe419a1e60c1405fae01f5a  gtk2-devel-2.2.4-8.1.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS: 

6ac62a2aeab6c7a99ff4b3a657530f89  gtk2-2.2.4-8.1.src.rpm

i386:
37607c300bef5d9dd9858474031f582c  gtk2-2.2.4-8.1.i386.rpm
2d0c1fe11fc0a9a165debb0cbac24b4e  gtk2-devel-2.2.4-8.1.i386.rpm

ia64:
b3b57ef2a9b4c577cad9639fd194db14  gtk2-2.2.4-8.1.ia64.rpm
cf89006e9943f4b23aeb7a410c91c542  gtk2-devel-2.2.4-8.1.ia64.rpm

x86_64:
7c5c8d7447e340310576c2909985268c  gtk2-2.2.4-8.1.x86_64.rpm
37607c300bef5d9dd9858474031f582c  gtk2-2.2.4-8.1.i386.rpm
8ebd7aea9fe419a1e60c1405fae01f5a  gtk2-devel-2.2.4-8.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
 

7. References:
 
Bug 150601 – Bad BMP files can cause gdk-pixbuf loader to sit in an infinite loop 
Bug 144808 – AltGr combinations don't work with some X servers 
CVE -CVE-2004-0753 
CVE -CVE-2004-0782 
CVE -CVE-2004-0783 
CVE -CVE-2004-0788

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at  

Copyright 2004 Red Hat, Inc.

Red Hat: gtk2 security flaws and bugs

Updated gtk2 packages that fix several security flaws and bugs are nowavailable.

Summary



Summary

The gtk2 package contains the GIMP ToolKit (GTK+), a library for creatinggraphical user interfaces for the X Window System.During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw wasdiscovered in the BMP image processor of gtk2. An attacker could create acarefully crafted BMP file which would cause an application to enter aninfinite loop and not respond to user input when the file was opened by avictim. The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CAN-2004-0753 to this issue.During a security audit Chris Evans discovered a stack and a heap overflowin the XPM image decoder. An attacker could create a carefully crafted XPMfile which could cause an application linked with gtk2 to crash or possiblyexecute arbitrary code when the file was opened by a victim.(CAN-2004-0782, CAN-2004-0783)Chris Evans also discovered an integer overflow in the ICO image decoder.An attacker could create a carefully crafted ICO file which could cause anapplication linked with gtk2 to crash when the file was opened by a victim.(CAN-2004-0788)This updated gtk2 package also fixes a few key combination bugs on variousX servers, such as Hummingbird, ReflectionX, and X-Win32. If a server wasconfigured to use the Swiss German, Swiss French, or France French keyboardlayouts, Mode_Switched characters were unable to be entered within GTKbased applications.Users of gtk2 are advised to upgrade to these packages which containbackported patches and are not vulnerable to these issues.


Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):
130450 - CAN-2004-0753 bmp image loader DOS
6. RPMs required:
Red Hat Enterprise Linux AS version 3:
SRPMS:
6ac62a2aeab6c7a99ff4b3a657530f89 gtk2-2.2.4-8.1.src.rpm
i386: 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-devel-2.2.4-8.1.i386.rpm
ia64: b3b57ef2a9b4c577cad9639fd194db14 gtk2-2.2.4-8.1.ia64.rpm cf89006e9943f4b23aeb7a410c91c542 gtk2-devel-2.2.4-8.1.ia64.rpm
ppc: 766df9da1dca48a5f110dc96b9c29015 gtk2-2.2.4-8.1.ppc.rpm eadbbab509000019eae608a8748cfbde gtk2-devel-2.2.4-8.1.ppc.rpm
s390: a3692edac044b25e4c8c2012437888e7 gtk2-2.2.4-8.1.s390.rpm f1821966b229cd61264b9af61fafdb88 gtk2-devel-2.2.4-8.1.s390.rpm
s390x: e45909f903fc90707ef451051d31853c gtk2-2.2.4-8.1.s390x.rpm 4190a6fdeed17fe104def7551c1ea51e gtk2-devel-2.2.4-8.1.s390x.rpm
x86_64: 7c5c8d7447e340310576c2909985268c gtk2-2.2.4-8.1.x86_64.rpm 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 8ebd7aea9fe419a1e60c1405fae01f5a gtk2-devel-2.2.4-8.1.x86_64.rpm
Red Hat Desktop version 3:
SRPMS:
6ac62a2aeab6c7a99ff4b3a657530f89 gtk2-2.2.4-8.1.src.rpm
i386: 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-devel-2.2.4-8.1.i386.rpm
x86_64: 7c5c8d7447e340310576c2909985268c gtk2-2.2.4-8.1.x86_64.rpm 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 8ebd7aea9fe419a1e60c1405fae01f5a gtk2-devel-2.2.4-8.1.x86_64.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS:
6ac62a2aeab6c7a99ff4b3a657530f89 gtk2-2.2.4-8.1.src.rpm
i386: 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-devel-2.2.4-8.1.i386.rpm
ia64: b3b57ef2a9b4c577cad9639fd194db14 gtk2-2.2.4-8.1.ia64.rpm cf89006e9943f4b23aeb7a410c91c542 gtk2-devel-2.2.4-8.1.ia64.rpm
x86_64: 7c5c8d7447e340310576c2909985268c gtk2-2.2.4-8.1.x86_64.rpm 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 8ebd7aea9fe419a1e60c1405fae01f5a gtk2-devel-2.2.4-8.1.x86_64.rpm
Red Hat Enterprise Linux WS version 3:
SRPMS:
6ac62a2aeab6c7a99ff4b3a657530f89 gtk2-2.2.4-8.1.src.rpm
i386: 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 2d0c1fe11fc0a9a165debb0cbac24b4e gtk2-devel-2.2.4-8.1.i386.rpm
ia64: b3b57ef2a9b4c577cad9639fd194db14 gtk2-2.2.4-8.1.ia64.rpm cf89006e9943f4b23aeb7a410c91c542 gtk2-devel-2.2.4-8.1.ia64.rpm
x86_64: 7c5c8d7447e340310576c2909985268c gtk2-2.2.4-8.1.x86_64.rpm 37607c300bef5d9dd9858474031f582c gtk2-2.2.4-8.1.i386.rpm 8ebd7aea9fe419a1e60c1405fae01f5a gtk2-devel-2.2.4-8.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from

References

Bug 150601 – Bad BMP files can cause gdk-pixbuf loader to sit in an infinite loop Bug 144808 – AltGr combinations don't work with some X servers CVE -CVE-2004-0753 CVE -CVE-2004-0782 CVE -CVE-2004-0783 CVE -CVE-2004-0788

Package List


Severity
Advisory ID: RHSA-2004:466-01
Issued Date: : 2004-09-15
Updated on: 2004-09-15
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788

Topic

Updated gtk2 packages that fix several security flaws and bugs are nowavailable.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64

Red Hat Desktop version 3 - i386, x86_64

Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64

Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64


Bugs Fixed


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved