Fedora Legacy Test Update Notification: gtk2

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Nov 3 23:54:54 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-155510
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155510
2005-11-03
---------------------------------------------------------------------

Name        : gtk2
Versions    : rh73: gtk2-2.0.2-4.2.legacy
Versions    : rh9: gtk2-2.2.1-4.2.legacy
Versions    : fc1: gtk2-2.2.4-10.3.legacy
Summary     : The GIMP ToolKit (GTK+), a library for creating GUIs for
              X.
Description :
The gtk+ package contains the GIMP ToolKit (GTK+), a library for
creating graphical user interfaces for the X Window System. GTK+ was
originally written for the GIMP (GNU Image Manipulation Program) image
processing program, but is now used by several other programs as well.

---------------------------------------------------------------------
Update Information:

Updated gtk2 packages that fix several security flaws are now available.

The gtk2 package contains the GIMP ToolKit (GTK+), a library for
creating graphical user interfaces for the X Window System.

During testing of a previously fixed flaw in Qt (CVE-2004-0691), a flaw
was discovered in the BMP image processor of gtk2. An attacker could
create a carefully crafted BMP file which would cause an application to
enter an infinite loop and not respond to user input when the file was
opened by a victim. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2004-0753 to this issue.

During a security audit Chris Evans discovered a stack and a heap
overflow in the XPM image decoder. An attacker could create a carefully
crafted XPM file which could cause an application linked with gtk2 to
crash or possibly execute arbitrary code when the file was opened by a
victim. (CVE-2004-0782, CVE-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image
decoder. An attacker could create a carefully crafted ICO file which
could cause an application linked with gtk2 to crash when the file was
opened by a victim. (CVE-2004-0788)

A bug was found in the way gtk2 processes BMP images. It is possible
that a specially crafted BMP image could cause a denial of service
attack on applications linked against gtk2. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CVE-2005-0891 to this issue.

Users of gtk2 are advised to upgrade to these packages which contain
backported patches and are not vulnerable to these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Wed Nov 02 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.0.2-4.2.legacy
- Go back to a sane release number

* Wed May 11 2005 Pekka Savola <pekkas at netcore.fi> 2.0.2-4.1.legacy.2
- Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #155510

* Thu Feb 17 2005 Dominic Hargreaves <dom at earth.li> 2.0.2-4.1.legacy.1
- Add gettext, libtool, autoconf build dep

* Sun Sep 19 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.0.2-4.1.legacy
- Added security patch for CAN-2004-0782, CAN-2004-0783, CAN-2004-0788

rh9:
* Wed Nov 02 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.2.1-4.2.legacy
- Go back to a sane release number

* Wed May 11 2005 Pekka Savola <pekkas at netcore.fi> 2.2.1-4.1.legacy.2
- Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #155510

* Wed Feb 23 2005 Dominic Hargreaves <dom at earth.li> 2.2.1-4.1.legacy.1
- Fix build requirement for automake

* Sun Sep 19 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.2.1-4.1.legacy
- add security fixes for CAN-2004-0753, CAN-2004-0782,
  CAN-2004-0783, CAN-2004-0788

fc1:
* Wed Nov 02 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.2.4-10.3.legacy
- Added automake14 and gettext to BuildPrereq

* Sat Aug 20 2005 Dave Eisenstein <deisenst at gtw.net> 2.2.4-10.2.legacy
- Specfile damaged in 2.2.4-10.1.legacy.  Redo specfile. Bug #155510.

* Wed May 11 2005 Pekka Savola <pekkas at netcore.fi> 2.2.4-10.1.legacy
- Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #155510

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
f923e47859f2b8e973a19978baa299a9eb9510b9
redhat/7.3/updates-testing/i386/gtk2-2.0.2-4.2.legacy.i386.rpm
0b42963350b57d6c8f4d77fc9e611d6e976d80b1
redhat/7.3/updates-testing/i386/gtk2-devel-2.0.2-4.2.legacy.i386.rpm
e975fad01109fe3e9efb1b1ab2d47db32b0b83ee
redhat/7.3/updates-testing/SRPMS/gtk2-2.0.2-4.2.legacy.src.rpm

rh9:
5d06ac2e6c81087e13c175b457116c0fd6950057
redhat/9/updates-testing/i386/gtk2-2.2.1-4.2.legacy.i386.rpm
99ef7dc3fdd67673358acc791ef306b914653271
redhat/9/updates-testing/i386/gtk2-devel-2.2.1-4.2.legacy.i386.rpm
8ada7b7f6ee51a281d6e0079aba0f2c150fdbf06
redhat/9/updates-testing/SRPMS/gtk2-2.2.1-4.2.legacy.src.rpm

fc1:
be0ba4a1776f9849cd5734ccb655b9dabb97011b
fedora/1/updates-testing/i386/gtk2-2.2.4-10.3.legacy.i386.rpm
501aa3181b863c6904004ec8ef5c9e38cef77652
fedora/1/updates-testing/i386/gtk2-devel-2.2.4-10.3.legacy.i386.rpm
76c60fd3ca93a1291f6bb60403b3c080323fa855
fedora/1/updates-testing/SRPMS/gtk2-2.2.4-10.3.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20051103/255e7baf/attachment.sig>

More information about the fedora-legacy-list mailing list