Fedora Legacy Test Update Notification: xloadimage

Marc Deslauriers marcdeslauriers at videotron.ca
Wed Mar 29 00:38:38 UTC 2006 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-152923
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152923
2006-03-28
---------------------------------------------------------------------

Name        : xloadimage
Versions    : rh73: xloadimage-4.1-21.2.legacy
Versions    : rh9: xloadimage-4.1-27.2.legacy
Versions    : fc1: xloadimage-4.1-29.2.legacy
Versions    : fc2: xloadimage-4.1-34.FC2.2.legacy
Summary     : An X Window System based image viewer.
Description :
The xloadimage utility displays images in an X Window System window,
loads images into the root window, or writes images into a file.
Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM,
and XBM).

---------------------------------------------------------------------
Update Information:

A new xloadimage package that fixes bugs in handling malformed tiff and
pbm/pnm/ppm images, and in handling metacharacters in file names is now
available.

The xloadimage utility displays images in an X Window System window,
loads images into the root window, or writes images into a file.
Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM,
and XBM).

A flaw was discovered in xloadimage where filenames were not properly
quoted when calling the gunzip command. An attacker could create a file
with a carefully crafted filename so that it would execute arbitrary
commands if opened by a victim. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0638 to
this issue.

A flaw was discovered in xloadimage via which an attacker can construct
a NIFF image with a very long embedded image title. This image can cause
a buffer overflow. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-3178 to this issue.

All users of xloadimage should upgrade to this erratum package, which
contains backported patches to correct these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Tue Mar 21 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
4.1-21.2.legacy
- Added missing XFree86-devel BuildPrereq

* Thu Mar 16 2006 Donald Maner <donjr at maner.org> 4.1-21.1.legacy
- Patches for CVE-2005-0638 and CVE-2005-3178 (#152923)

rh9:
* Tue Mar 21 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
4.1-27.2.legacy
- Added missing XFree86-devel to BuildPrereq

* Thu Mar 16 2006 Donald Maner <donjr at maner.org> 4.1-27.1.legacy
- Patches for CVE-2005-0638 and CVE-2005-3178 (#152923)

fc1:
* Tue Mar 21 2006 Marc Deslauriers <marcdeslauriers at videotron.ca]>
4.1-29.2.legacy
- Added missing XFree86-devel to BuildPrereq

* Thu Mar 16 2006 Donald Maner <donjr at maner.org> 4.1-29.1.legacy
- Patches for CVE-2005-0638 and CVE-2005-3178 (#152923)

fc2:
* Tue Mar 21 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
4.1-34.FC2.2.legacy
- Added missing libjpeg-devel to BuildPrereq
- Fix release tag

* Fri Mar 17 2006 Donald Maner <donjr at pobox.com> 4.1-34.1.legacy
- Patch for CVE-2005-3178 (#152923)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
88326ff1a0753287240180322b36f8174686e0cc
redhat/7.3/updates-testing/i386/xloadimage-4.1-21.2.legacy.i386.rpm
663b64ed039000824bacd3475e807c29c835f388
redhat/7.3/updates-testing/SRPMS/xloadimage-4.1-21.2.legacy.src.rpm

rh9:
7fef8d73737dfacb3d56f203bf31f3c8e2014925
redhat/9/updates-testing/i386/xloadimage-4.1-27.2.legacy.i386.rpm
2b4223a41ab2127ee3b173e0803635f3c441bb4f
redhat/9/updates-testing/SRPMS/xloadimage-4.1-27.2.legacy.src.rpm

fc1:
c24c7a2ae4d703b00a3f84623cae24775674d5d7
fedora/1/updates-testing/i386/xloadimage-4.1-29.2.legacy.i386.rpm
ec2c5a9b5049aeca3cd4d12e7b84c650fec1c295
fedora/1/updates-testing/SRPMS/xloadimage-4.1-29.2.legacy.src.rpm

fc2:
2910727dcd74a462a2f137746592e53ba5fcdfac
fedora/2/updates-testing/i386/xloadimage-4.1-34.FC2.2.legacy.i386.rpm
924f5e4ffc9ff7190dc1808def838e57377f5fd6
fedora/2/updates-testing/SRPMS/xloadimage-4.1-34.FC2.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20060328/3dd21040/attachment.sig>

More information about the fedora-legacy-list mailing list