Fedora Legacy Test Update Notification: lesstif
Marc Deslauriers
marcdeslauriers at videotron.ca
Fri Nov 18 05:38:12 UTC 2005
---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-152803
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152803
2005-11-17
---------------------------------------------------------------------
Name : lesstif
Versions : rh73: lesstif-0.93.18-2.3.legacy
Versions : rh9: lesstif-0.93.36-3.3.legacy
Versions : fc1: lesstif-0.93.36-4.3.legacy
Versions : fc2: lesstif-0.93.36-5.3.legacy
Summary : An OSF/Motif(R) clone.
Description :
LessTif is a free replacement for OSF/Motif(R), which provides a full
set of widgets for application development (menus, text entry areas,
scrolling windows, etc.). LessTif is source compatible with
OSF/Motif(R) 1.2. The widget set code is the primary focus of
development. If you are installing lesstif, you also need to install
lesstif-clients.
---------------------------------------------------------------------
Update Information:
Updated lesstif packages that fix flaws in the Xpm image library are
now available.
lesstif is a free replacement for OSF/Motif(R), which provides a full
set of widgets for application development.
During a source code audit, Chris Evans and others discovered several
stack overflow flaws and an integer overflow flaw in the libXpm library
used to decode XPM (X PixMap) images. A vulnerable version of this
library was found within LessTif. An attacker could create a carefully
crafted XPM file which would cause an application to crash or
potentially execute arbitrary code if opened by a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to these issues.
An integer overflow flaw was found in libXpm; a vulnerable version of
this library is found within LessTif. An attacker could create a
malicious XPM file that would execute arbitrary code if opened by a
victim using an application linked to LessTif. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0605 to this issue.
Users of lesstif are advised to upgrade to these erratum packages,
which contain backported security patches correcting these issues.
---------------------------------------------------------------------
Changelogs:
rh73:
* Wed Jul 27 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.93.18-2.3.legacy
- Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914
- fixed possible libXpm overflows (CAN-2005-0605)
* Fri Dec 03 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.18-2.2.legacy
- apply diff from current lesstif cvs that removes the monolithic
Xpm.c file and breaks it into the latest versions of the separate
libXpm files. this should fix CAN-2004-0667, CAN-2004-0668, and
CAN-2004-0914 (FL #2142)
* Thu Nov 04 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.18-2.1.legacy
- apply patch for CAN-2004-0688 (FL #2142)
- truncated changelog because it was somehow breaking things
rh9:
* Wed Jul 27 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.93.36-3.3.legacy
- Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914
- fixed possible libXpm overflows (CAN-2005-0605)
* Fri Dec 03 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.36-3.2.legacy
- apply diff from current lesstif cvs that removes the monolithic
Xpm.c file and breaks it into the latest versions of the separate
libXpm files. this should fix CAN-2004-0667, CAN-2004-0668, and
CAN-2004-0914 (FL #2142)
* Thu Nov 04 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.36-3.1.legacy
- apply patch for CAN-2004-0688 (FL #2142)
fc1:
* Wed Jul 27 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.93.36-4.3.legacy
- Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914
- fixed possible libXpm overflows (CAN-2005-0605)
* Fri Dec 03 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.36-4.2.legacy
- apply diff from current lesstif cvs that removes the monolithic
Xpm.c file and breaks it into the latest versions of the separate
libXpm files. this should fix CAN-2004-0667, CAN-2004-0668, and
CAN-2004-0914 (FL #2142)
* Thu Nov 04 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.36-4.1.legacy
- apply patch for CAN-2004-0688 (FL #2142)
fc2:
* Tue Jul 26 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.93.36-5.3.legacy
- fixed possible libXpm overflows (CAN-2005-0605)
- allow to write XPM files with absolute path names again
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedoralegacy.org/
(sha1sums)
rh73:
83e9647ade78338b07abdb618f5d88b0ed12b46b
redhat/7.3/updates-testing/i386/lesstif-0.93.18-2.3.legacy.i386.rpm
c9dcedad7c1576504e12340753b391181d613714
redhat/7.3/updates-testing/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm
649a15edc64e3847238eb252be93db1583baa1cc
redhat/7.3/updates-testing/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm
rh9:
a4a8e6e888234cb0751800c181430db4c7b524e6
redhat/9/updates-testing/i386/lesstif-0.93.36-3.3.legacy.i386.rpm
0804ad3304bf12be7f1ab71a463e980f4ea17975
redhat/9/updates-testing/i386/lesstif-devel-0.93.36-3.3.legacy.i386.rpm
51459c1f41f08654e13b4f22bb76082ed04bbbde
redhat/9/updates-testing/SRPMS/lesstif-0.93.36-3.3.legacy.src.rpm
fc1:
9d8c60a5d5fd55081cd0e7f4ac9c349393c851c8
fedora/1/updates-testing/i386/lesstif-0.93.36-4.3.legacy.i386.rpm
7453bc2247080a99da8cb3aba8adb768191fa30f
fedora/1/updates-testing/i386/lesstif-devel-0.93.36-4.3.legacy.i386.rpm
0131e9cd6d912798c1ad0b45a0195fc9b3e6cfe3
fedora/1/updates-testing/SRPMS/lesstif-0.93.36-4.3.legacy.src.rpm
fc2:
00c8b8ed1cc28659d23e3a786ee12b0bfa1eb10d
fedora/2/updates-testing/i386/lesstif-0.93.36-5.3.legacy.i386.rpm
051563d1c29930fc45f3184ff9abbcf92daf1b74
fedora/2/updates-testing/i386/lesstif-devel-0.93.36-5.3.legacy.i386.rpm
2bb39e060197d2bed2f9e7448b9a6e68c72555f5
fedora/2/updates-testing/SRPMS/lesstif-0.93.36-5.3.legacy.src.rpm
---------------------------------------------------------------------
Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20051118/8987de2a/attachment.sig>
More information about the fedora-legacy-list
mailing list