Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0178
A vulnerability have been discovered and corrected in netpbm
19 February 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: netpbm
Publisher: Mandriva
Operating System: Mandriva Linux
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2009-4274
Comment: This advisory references vulnerabilities in products which run on
platforms other than Mandriva. It is recommended that administrators
running netpbm check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:039
http://www.mandriva.com/security/
_______________________________________________________________________
Package : netpbm
Date : February 17, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability have been discovered and corrected in netpbm:
Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm
before 10.47.07 allows context-dependent attackers to cause a denial
of service (application crash) or possibly execute arbitrary code
via an XPM image file that contains a crafted header field associated
with a large color index value (CVE-2009-4274).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4274
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
8bcad87072eb2e7bc56fb0dd5b85259a 2008.0/i586/libnetpbm10-10.34-8.4mdv2008.0.i586.rpm
59ed2a66a9b7ba7892e8eca4fb13881c 2008.0/i586/libnetpbm-devel-10.34-8.4mdv2008.0.i586.rpm
531166ffe9840c4acc26df23709e22fd 2008.0/i586/libnetpbm-static-devel-10.34-8.4mdv2008.0.i586.rpm
2a84ec450978bf42f52a5e769c1cae9d 2008.0/i586/netpbm-10.34-8.4mdv2008.0.i586.rpm
575de6109fea969f98e92e94b042dda0 2008.0/SRPMS/netpbm-10.34-8.4mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
290a4caf55e0363712b56c275ba04ce0 2008.0/x86_64/lib64netpbm10-10.34-8.4mdv2008.0.x86_64.rpm
f6ae08756eaa4dce2627a85085e17b46 2008.0/x86_64/lib64netpbm-devel-10.34-8.4mdv2008.0.x86_64.rpm
2b49a1468231d86ad516b747af7984c2 2008.0/x86_64/lib64netpbm-static-devel-10.34-8.4mdv2008.0.x86_64.rpm
e866478a921c955840a333ecf80ac46c 2008.0/x86_64/netpbm-10.34-8.4mdv2008.0.x86_64.rpm
575de6109fea969f98e92e94b042dda0 2008.0/SRPMS/netpbm-10.34-8.4mdv2008.0.src.rpm
Mandriva Linux 2009.0:
ee1ea92d859e3e7373775fe5a3a22bbb 2009.0/i586/libnetpbm10-10.35.46-1.2mdv2009.0.i586.rpm
ace5a3ba900ad6a557588475e3bef3a8 2009.0/i586/libnetpbm-devel-10.35.46-1.2mdv2009.0.i586.rpm
00b33b00223a2cc933b4c8ec0f0abdb1 2009.0/i586/libnetpbm-static-devel-10.35.46-1.2mdv2009.0.i586.rpm
bd9d8c7dbf383bd9784f64557d63b5fc 2009.0/i586/netpbm-10.35.46-1.2mdv2009.0.i586.rpm
bfd3a9bc163067b71537abc9d400ff00 2009.0/SRPMS/netpbm-10.35.46-1.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
f635d7ef616dee3da2a71674daeaaf52 2009.0/x86_64/lib64netpbm10-10.35.46-1.2mdv2009.0.x86_64.rpm
365fe028aa3a53a6bc7929a5bbbef00f 2009.0/x86_64/lib64netpbm-devel-10.35.46-1.2mdv2009.0.x86_64.rpm
c3dbd8ad3f9b592e39a8f2141c872a45 2009.0/x86_64/lib64netpbm-static-devel-10.35.46-1.2mdv2009.0.x86_64.rpm
e5a66e406c325bfab3be1552d0b07898 2009.0/x86_64/netpbm-10.35.46-1.2mdv2009.0.x86_64.rpm
bfd3a9bc163067b71537abc9d400ff00 2009.0/SRPMS/netpbm-10.35.46-1.2mdv2009.0.src.rpm
Mandriva Linux 2009.1:
779d04e7a3aaebcad8466198512da832 2009.1/i586/libnetpbm10-10.35.59-1.1mdv2009.1.i586.rpm
cab822b6ada4810e636f59fd5f973f89 2009.1/i586/libnetpbm-devel-10.35.59-1.1mdv2009.1.i586.rpm
a3368b94646adc06eaf89ce10eb5a2b9 2009.1/i586/libnetpbm-static-devel-10.35.59-1.1mdv2009.1.i586.rpm
93b6279a74590026b1e16ea7473ddb97 2009.1/i586/netpbm-10.35.59-1.1mdv2009.1.i586.rpm
55555730694672069956ccccaa0d890b 2009.1/SRPMS/netpbm-10.35.59-1.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
8f412a3a9e0a3655c6431f75d2694ef9 2009.1/x86_64/lib64netpbm10-10.35.59-1.1mdv2009.1.x86_64.rpm
3ff3df2d1bd3ae81be50de6f62c81cf4 2009.1/x86_64/lib64netpbm-devel-10.35.59-1.1mdv2009.1.x86_64.rpm
bc23d8105469a7d597b71bf51d49dcb8 2009.1/x86_64/lib64netpbm-static-devel-10.35.59-1.1mdv2009.1.x86_64.rpm
5a5158cf3c372be6c9a0db33e026f1f7 2009.1/x86_64/netpbm-10.35.59-1.1mdv2009.1.x86_64.rpm
55555730694672069956ccccaa0d890b 2009.1/SRPMS/netpbm-10.35.59-1.1mdv2009.1.src.rpm
Mandriva Linux 2010.0:
4fa5cc0fd4bc8a7886d33c6ba937e701 2010.0/i586/libnetpbm10-10.35.64-4.1mdv2010.0.i586.rpm
aeecf29a8b0ba59493cee20f7057356d 2010.0/i586/libnetpbm-devel-10.35.64-4.1mdv2010.0.i586.rpm
e2fa1d2b95b9adeb79bbb3fab08a2b6d 2010.0/i586/libnetpbm-static-devel-10.35.64-4.1mdv2010.0.i586.rpm
c11938419e48ae2ac9d237955324e899 2010.0/i586/netpbm-10.35.64-4.1mdv2010.0.i586.rpm
efb8bf31dfedfe90726c343daa917e1a 2010.0/SRPMS/netpbm-10.35.64-4.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
7d1d1796786b7001c3120fdbd39c6ce2 2010.0/x86_64/lib64netpbm10-10.35.64-4.1mdv2010.0.x86_64.rpm
5c36756ee54b446e5769490f38d9c7a9 2010.0/x86_64/lib64netpbm-devel-10.35.64-4.1mdv2010.0.x86_64.rpm
d87677cb5902e4b770da31d09d5074ee 2010.0/x86_64/lib64netpbm-static-devel-10.35.64-4.1mdv2010.0.x86_64.rpm
d50867f0735a4dc22292d2e5e86a36fa 2010.0/x86_64/netpbm-10.35.64-4.1mdv2010.0.x86_64.rpm
efb8bf31dfedfe90726c343daa917e1a 2010.0/SRPMS/netpbm-10.35.64-4.1mdv2010.0.src.rpm
Corporate 4.0:
4ce1174f09ffd1a201d2700d92eb9159 corporate/4.0/i586/libnetpbm10-10.29-1.7.20060mlcs4.i586.rpm
0b23ea99e1ef82b0269b451c8a3c8ca5 corporate/4.0/i586/libnetpbm10-devel-10.29-1.7.20060mlcs4.i586.rpm
ed76d9c0709dd4096bb048c606949496 corporate/4.0/i586/libnetpbm10-static-devel-10.29-1.7.20060mlcs4.i586.rpm
eb98ce5306a3d4f48f86f9eb0ff651cb corporate/4.0/i586/netpbm-10.29-1.7.20060mlcs4.i586.rpm
ca94f75da48df2b08f0738885e699d10 corporate/4.0/SRPMS/netpbm-10.29-1.7.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
601edb209c88048519d828436aaa87a4 corporate/4.0/x86_64/lib64netpbm10-10.29-1.7.20060mlcs4.x86_64.rpm
b9fa69d18db9736e078a4a37f0e8dd53 corporate/4.0/x86_64/lib64netpbm10-devel-10.29-1.7.20060mlcs4.x86_64.rpm
008db822b44e044cffd17654a931edba corporate/4.0/x86_64/lib64netpbm10-static-devel-10.29-1.7.20060mlcs4.x86_64.rpm
03b9c9b998d779d41d199d4fe4fc7ba3 corporate/4.0/x86_64/netpbm-10.29-1.7.20060mlcs4.x86_64.rpm
ca94f75da48df2b08f0738885e699d10 corporate/4.0/SRPMS/netpbm-10.29-1.7.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
c63f9537584cf106e536f7d83bc54081 mes5/i586/libnetpbm10-10.35.46-1.2mdvmes5.i586.rpm
986eff41c0358f28b28f611fd249adf3 mes5/i586/libnetpbm-devel-10.35.46-1.2mdvmes5.i586.rpm
816e2b8b6ad495cc614a3e2173121e5c mes5/i586/libnetpbm-static-devel-10.35.46-1.2mdvmes5.i586.rpm
5e45816cc9bec160a2320d303b13f8a6 mes5/i586/netpbm-10.35.46-1.2mdvmes5.i586.rpm
2713691fd47d18d4af1467db4ca7329c mes5/SRPMS/netpbm-10.35.46-1.2mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
e3368f94a486303a50f9abce9f7d657a mes5/x86_64/lib64netpbm10-10.35.46-1.2mdvmes5.x86_64.rpm
6f83d0317f9571169c4fe0db914529d9 mes5/x86_64/lib64netpbm-devel-10.35.46-1.2mdvmes5.x86_64.rpm
6c844b6530612960b3bbf1ac0d701faf mes5/x86_64/lib64netpbm-static-devel-10.35.46-1.2mdvmes5.x86_64.rpm
793de9149882fb1cf01733a04fd5e617 mes5/x86_64/netpbm-10.35.46-1.2mdvmes5.x86_64.rpm
2713691fd47d18d4af1467db4ca7329c mes5/SRPMS/netpbm-10.35.46-1.2mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLfAR2mqjQ0CJFipgRAm3UAKDD0sda+6F2DGdFVR1NArF0GU5qCgCgu+ON
BjPj/Zm5Th1AhYlHWW7nQfY=
=HT3Q
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLfe0J/iFOrG6YcBERAleaAJ9Y9oHeGIhIIWfSz3+rAVY3wV06RACgotzM
ScIhdIoZRwIvlNuSi/CkD4k=
=gp83
-----END PGP SIGNATURE-----