Fedora Legacy Test Update Notification: lesstif

Marc Deslauriers marcdeslauriers at videotron.ca
Fri Nov 18 05:38:12 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-152803
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152803
2005-11-17
---------------------------------------------------------------------

Name        : lesstif
Versions    : rh73: lesstif-0.93.18-2.3.legacy
Versions    : rh9: lesstif-0.93.36-3.3.legacy
Versions    : fc1: lesstif-0.93.36-4.3.legacy
Versions    : fc2: lesstif-0.93.36-5.3.legacy
Summary     : An OSF/Motif(R) clone.
Description :
LessTif is a free replacement for OSF/Motif(R), which provides a full
set of widgets for application development (menus, text entry areas,
scrolling windows, etc.). LessTif is source compatible with
OSF/Motif(R) 1.2. The widget set code is the primary focus of
development. If you are installing lesstif, you also need to install
lesstif-clients.

---------------------------------------------------------------------
Update Information:

Updated lesstif packages that fix flaws in the Xpm image library are
now available.

lesstif is a free replacement for OSF/Motif(R), which provides a full
set of widgets for application development.

During a source code audit, Chris Evans and others discovered several
stack overflow flaws and an integer overflow flaw in the libXpm library
used to decode XPM (X PixMap) images. A vulnerable version of this
library was found within LessTif. An attacker could create a carefully
crafted XPM file which would cause an application to crash or
potentially execute arbitrary code if opened by a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to these issues.

An integer overflow flaw was found in libXpm; a vulnerable version of
this library is found within LessTif. An attacker could create a
malicious XPM file that would execute arbitrary code if opened by a
victim using an application linked to LessTif. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0605 to this issue.

Users of lesstif are advised to upgrade to these erratum packages,
which contain backported security patches correcting these issues.

---------------------------------------------------------------------
Changelogs:

rh73:
* Wed Jul 27 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.93.18-2.3.legacy
- Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914
- fixed possible libXpm overflows (CAN-2005-0605)

* Fri Dec 03 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.18-2.2.legacy
- apply diff from current lesstif cvs that removes the monolithic
  Xpm.c file and breaks it into the latest versions of the separate
  libXpm files.  this should fix  CAN-2004-0667, CAN-2004-0668, and
  CAN-2004-0914 (FL #2142)

* Thu Nov 04 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.18-2.1.legacy
- apply patch for CAN-2004-0688 (FL #2142)
- truncated changelog because it was somehow breaking things


rh9:
* Wed Jul 27 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.93.36-3.3.legacy
- Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914
- fixed possible libXpm overflows (CAN-2005-0605)

* Fri Dec 03 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.36-3.2.legacy
- apply diff from current lesstif cvs that removes the monolithic
  Xpm.c file and breaks it into the latest versions of the separate
  libXpm files.  this should fix  CAN-2004-0667, CAN-2004-0668, and
  CAN-2004-0914 (FL #2142)

* Thu Nov 04 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.36-3.1.legacy
- apply patch for CAN-2004-0688 (FL #2142)

fc1:
* Wed Jul 27 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.93.36-4.3.legacy
- Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914
- fixed possible libXpm overflows (CAN-2005-0605)

* Fri Dec 03 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.36-4.2.legacy
- apply diff from current lesstif cvs that removes the monolithic
  Xpm.c file and breaks it into the latest versions of the separate
  libXpm files.  this should fix  CAN-2004-0667, CAN-2004-0668, and
  CAN-2004-0914 (FL #2142)

* Thu Nov 04 2004 Rob Myers <rob.myers at gtri.gatech.edu> 0.93.36-4.1.legacy
- apply patch for CAN-2004-0688 (FL #2142)

fc2:
* Tue Jul 26 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.93.36-5.3.legacy
- fixed possible libXpm overflows (CAN-2005-0605)
- allow to write XPM files with absolute path names again

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
83e9647ade78338b07abdb618f5d88b0ed12b46b
redhat/7.3/updates-testing/i386/lesstif-0.93.18-2.3.legacy.i386.rpm
c9dcedad7c1576504e12340753b391181d613714
redhat/7.3/updates-testing/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm
649a15edc64e3847238eb252be93db1583baa1cc
redhat/7.3/updates-testing/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm

rh9:
a4a8e6e888234cb0751800c181430db4c7b524e6
redhat/9/updates-testing/i386/lesstif-0.93.36-3.3.legacy.i386.rpm
0804ad3304bf12be7f1ab71a463e980f4ea17975
redhat/9/updates-testing/i386/lesstif-devel-0.93.36-3.3.legacy.i386.rpm
51459c1f41f08654e13b4f22bb76082ed04bbbde
redhat/9/updates-testing/SRPMS/lesstif-0.93.36-3.3.legacy.src.rpm

fc1:
9d8c60a5d5fd55081cd0e7f4ac9c349393c851c8
fedora/1/updates-testing/i386/lesstif-0.93.36-4.3.legacy.i386.rpm
7453bc2247080a99da8cb3aba8adb768191fa30f
fedora/1/updates-testing/i386/lesstif-devel-0.93.36-4.3.legacy.i386.rpm
0131e9cd6d912798c1ad0b45a0195fc9b3e6cfe3
fedora/1/updates-testing/SRPMS/lesstif-0.93.36-4.3.legacy.src.rpm

fc2:
00c8b8ed1cc28659d23e3a786ee12b0bfa1eb10d
fedora/2/updates-testing/i386/lesstif-0.93.36-5.3.legacy.i386.rpm
051563d1c29930fc45f3184ff9abbcf92daf1b74
fedora/2/updates-testing/i386/lesstif-devel-0.93.36-5.3.legacy.i386.rpm
2bb39e060197d2bed2f9e7448b9a6e68c72555f5
fedora/2/updates-testing/SRPMS/lesstif-0.93.36-5.3.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20051118/8987de2a/attachment.sig>

More information about the fedora-legacy-list mailing list