Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0594 -- Debian Security Advisory DSA 549-1
New gtk+2.0 packages fix several vulnerabilities
21 September 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: gtk+2.0
Publisher: Debian
Operating System: Debian GNU/Linux 3.0
Linux variants
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CAN-2004-0788 CAN-2004-0783 CAN-2004-0782
Ref: ESB-2004.0584
ESB-2004.0582
ESB-2004.0574
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 549-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
September 17th, 2004 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : gtk+2.0
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Chris Evans discovered several problems in gdk-pixbuf, the GdkPixBuf
library used in Gtk. It is possible for an attacker to execute
arbitrary code on the victims machine. Gdk-pixbuf for Gtk+1.2 is an
external package. For Gtk+2.0 it's part of the main gtk package.
The Common Vulnerabilities and Exposures Project identifies the
following vulnerabilities:
CAN-2004-0782
Heap-based overflow in pixbuf_create_from_xpm.
CAN-2004-0783
Stack-based overflow in xpm_extract_color.
CAN-2004-0788
Integer overflow in the ico loader.
For the stable distribution (woody) these problems have been fixed in
version 2.0.2-5woody2.
For the unstable distribution (sid) these problems will be fixed soon.
We recommend that you upgrade your Gtk packages.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk+2.0_2.0.2-5woody2.dsc
Size/MD5 checksum: 863 e1fb1114b9e8a2a41696f9ce87e63695
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk+2.0_2.0.2-5woody2.diff.gz
Size/MD5 checksum: 46831 2efce3a3481974044c1a6a1011954f18
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk+2.0_2.0.2.orig.tar.gz
Size/MD5 checksum: 7835836 dc80381b84458d944c5300a1672c099c
Architecture independent components:
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-doc_2.0.2-5woody2_all.deb
Size/MD5 checksum: 1378706 d2d6f488c0a77c93ed5a8fd151741543
Alpha architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_alpha.deb
Size/MD5 checksum: 220806 d754d0cecc3f82d64be319c55dff5c8e
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_alpha.deb
Size/MD5 checksum: 1102 d3ccf8d6e3b666f6dc71c35f20a6cb77
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_alpha.deb
Size/MD5 checksum: 1585238 13f238596d197ad27933c3f3e27269f7
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_alpha.deb
Size/MD5 checksum: 595896 57264f5be6eb488ea9607cd2f7058e08
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_alpha.deb
Size/MD5 checksum: 5878498 0ffc094ffe8ef6fdd11b38484ea90477
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_alpha.deb
Size/MD5 checksum: 178322 14de2746abdb546a703aeec243e28a12
ARM architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_arm.deb
Size/MD5 checksum: 214610 c2a2b4874321a68a912afcac8efe4432
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_arm.deb
Size/MD5 checksum: 1106 d78aba4e1a787ac217dc055dc8e5d77a
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_arm.deb
Size/MD5 checksum: 1419902 92ed65acd376e565968d534df0e56b4f
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_arm.deb
Size/MD5 checksum: 595286 a8f465878ea70bb232fc4fc7d460462d
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_arm.deb
Size/MD5 checksum: 2904044 843cba67b1831b001b9186c11d7d5c72
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_arm.deb
Size/MD5 checksum: 177272 f02861b5aa96ea782f041db0ba00fe11
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_i386.deb
Size/MD5 checksum: 214932 abd81a3388a82c15364189b0321c931a
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_i386.deb
Size/MD5 checksum: 1102 6a63e94e140d45afd8d30f1a6aeaf4fa
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_i386.deb
Size/MD5 checksum: 1289428 a1f0196674f1556a9700a29912ed4b77
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_i386.deb
Size/MD5 checksum: 595384 485b9ec09c0ddfa5564b25c2fcec58f7
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_i386.deb
Size/MD5 checksum: 2722306 a59b27568500db9dcd8a2ffbf2866f2b
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_i386.deb
Size/MD5 checksum: 177140 245e88cb2addad57e7273b76fb145930
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_ia64.deb
Size/MD5 checksum: 230652 df3f392fc1d8f749134f03413e6b07b3
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_ia64.deb
Size/MD5 checksum: 1098 9f692a19e0d16699852bf7c16de2a05b
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_ia64.deb
Size/MD5 checksum: 2076782 8b4e1e4a232881916a2da1f39f3bff18
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_ia64.deb
Size/MD5 checksum: 596736 fbaedfd29974d78a92de77666be3ca6a
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_ia64.deb
Size/MD5 checksum: 9450414 6c1356d0a6caac17bcfee6794c7eb0e3
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_ia64.deb
Size/MD5 checksum: 178702 a248446a3b02a0a3bc7695bc364423d0
HP Precision architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_hppa.deb
Size/MD5 checksum: 220414 5541da711355e2a8f43e9fc113ef0768
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_hppa.deb
Size/MD5 checksum: 1104 527a4a2a3c489297eeb7ba3cbfd438a4
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_hppa.deb
Size/MD5 checksum: 1718082 f4f7d125622fb444f1e4f0cedc8a4e2d
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_hppa.deb
Size/MD5 checksum: 595658 50ed99e08d60d5de0abbdb1d26775c26
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_hppa.deb
Size/MD5 checksum: 3317262 ba0fa17d9fa8b56a0f55b59e6768bfa7
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_hppa.deb
Size/MD5 checksum: 177784 fa9a3da8d0bcc4786c2c1ddea49dc75d
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_m68k.deb
Size/MD5 checksum: 214628 952fad1b5e2cf93ceda4d5d63e19f765
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_m68k.deb
Size/MD5 checksum: 1108 8ced141cb0b5be513e6c6561d12c5a63
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_m68k.deb
Size/MD5 checksum: 1331140 e2aba56732d36042f31066ddf8c028d8
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_m68k.deb
Size/MD5 checksum: 595398 9b672797a3c23ee8a2f8a3efc71d3c71
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_m68k.deb
Size/MD5 checksum: 2833708 f651eb5d6120d31e7f3928e74aba8980
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_m68k.deb
Size/MD5 checksum: 177030 9845cbf7bf9e07645dcb77274b5c33ab
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_mips.deb
Size/MD5 checksum: 215928 d7588d79c18352e3338f2f4e63d5965a
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_mips.deb
Size/MD5 checksum: 1106 7cf40a77a0343f3e5a31ded6dc331490
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_mips.deb
Size/MD5 checksum: 1384582 1dfc5eb807003319d401f80c94c6bf90
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_mips.deb
Size/MD5 checksum: 595756 3ef292a9f9f3dec4a2c141673881ed96
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_mips.deb
Size/MD5 checksum: 4934272 a54b24f1384ed35991e791dc307a69ba
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_mips.deb
Size/MD5 checksum: 177508 35d84c694be2215cc97aaf7142446949
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_mipsel.deb
Size/MD5 checksum: 215604 5cc6dd64570c935fd94dee4f087233e7
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_mipsel.deb
Size/MD5 checksum: 1104 fe87437ef7062d2f594a8939f4fc32d5
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_mipsel.deb
Size/MD5 checksum: 1375248 f06ee4d4dfa8c6f83da5463e1d6c68e0
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_mipsel.deb
Size/MD5 checksum: 595704 0843d132d11c21f4dacc713cce9bfe86
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_mipsel.deb
Size/MD5 checksum: 4789102 a8434a64c728d1681e0cb67579f57115
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_mipsel.deb
Size/MD5 checksum: 177524 2c4c179ee681e7bc9660b5779c1cd789
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_powerpc.deb
Size/MD5 checksum: 214682 98b2500d59c65aba8ee0b11182075ee7
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_powerpc.deb
Size/MD5 checksum: 1106 dc96de399a2ff8b240b3c617aed8eec9
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_powerpc.deb
Size/MD5 checksum: 1504824 62e8dd6e29202ec7b93125608e0843de
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_powerpc.deb
Size/MD5 checksum: 595492 2149f524cfd0d8c000d9b898558adf2f
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_powerpc.deb
Size/MD5 checksum: 2980810 1fb39be5851af4c2b7bed18211f07f7f
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_powerpc.deb
Size/MD5 checksum: 177308 50c27f03e3cbb55460682bb4cc78f288
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_s390.deb
Size/MD5 checksum: 217456 f09ceaad55029059c3c0881d810f0588
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_s390.deb
Size/MD5 checksum: 1102 13c51d35dd739aa20cde20ac8407c264
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_s390.deb
Size/MD5 checksum: 1446606 fed3c63829a9f11ca862cec3561f3460
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_s390.deb
Size/MD5 checksum: 595662 ce432586ed7c73c0d5e8bda255b4d4af
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_s390.deb
Size/MD5 checksum: 3004760 251ada8d3dd7f4390d48c6fd1b00f85b
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_s390.deb
Size/MD5 checksum: 177364 4085419a638670f3e6a227b073bcfe9d
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_sparc.deb
Size/MD5 checksum: 215616 e4b0fca8e9a4d954713615b223036a25
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_sparc.deb
Size/MD5 checksum: 1102 75aefe007d272f0d459848aa984d76ed
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_sparc.deb
Size/MD5 checksum: 1434138 47f684ef7bb814f884efb45a4dc7ef51
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_sparc.deb
Size/MD5 checksum: 595332 6684502ffc4b161929b3c0996f5e436f
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_sparc.deb
Size/MD5 checksum: 2872322 a69e4200c018c48c1bfd4c4d140891dc
http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_sparc.deb
Size/MD5 checksum: 177178 3e2de7e036b45561d918905d08720ae8
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBSq19W5ql+IAeqTIRArMSAKCT5ZJPFhftlGpFla1SzQEwt3vu5ACeN6qs
XdA0qjsHg/CZGyy4AZGXY0U=
=UANQ
- -----END PGP SIGNATURE-----
- --
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQU/Dzih9+71yA2DNAQI6kgP/RXlSYDBuIFK7iKYA4sUcYYENA9Kj66Wx
wvW1H8Tn0iccuY3XE0bwS7SV2rkgIH/41dioiiqVLcl7eDkM7RzE0xtNVb6vqqMW
iq7Qu2GGlQVCj13yRq+IAnf9RokK+P4d7Kw5CfDps+QHhbgoT+9cvrFCWnqCPy5R
2piJlFocR1Y=
=8rmo
-----END PGP SIGNATURE-----