secu...

Thomas Lotterer Wed, 04 Aug 2004 07:00:17 -0700

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________


  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   04-Aug-2004 16:00:20
  Branch: HEAD                             Handle: 2004080415001603

  Added files:
    openpkg-web/security    OpenPKG-SA-2004.035-png.txt
  Modified files:
    openpkg-web             security.txt security.wml

  Log:
    SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599

  Summary:
    Revision    Changes     Path
    1.89        +1  -0      openpkg-web/security.txt
    1.110       +1  -0      openpkg-web/security.wml
    1.1         +130 -0     openpkg-web/security/OpenPKG-SA-2004.035-png.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security.txt
  ============================================================================
  $ cvs diff -u -r1.88 -r1.89 security.txt
  --- openpkg-web/security.txt  22 Jul 2004 14:34:44 -0000      1.88
  +++ openpkg-web/security.txt  4 Aug 2004 14:00:16 -0000       1.89
  @@ -1,3 +1,4 @@
  +04-Aug-2004: Security Advisory: S<OpenPKG-SA-2004.035-png>
   22-Jul-2004: Security Advisory: S<OpenPKG-SA-2004.034-php>
   22-Jul-2004: Security Advisory: S<OpenPKG-SA-2004.033-samba>
   16-Jul-2004: Security Advisory: S<OpenPKG-SA-2004.032-apache>
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/security.wml
  ============================================================================
  $ cvs diff -u -r1.109 -r1.110 security.wml
  --- openpkg-web/security.wml  22 Jul 2004 14:34:44 -0000      1.109
  +++ openpkg-web/security.wml  4 Aug 2004 14:00:16 -0000       1.110
  @@ -76,6 +76,7 @@
   </define-tag>
   <box bdwidth=1 bdcolor="#a5a095" bdspace=10 bgcolor="#e5e0d5">
   <table cellspacing=0 cellpadding=0 border=0>
  +  <sa 2004.035 png>
     <sa 2004.034 php>
     <sa 2004.033 samba>
     <sa 2004.032 apache>
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2004.035-png.txt
  ============================================================================
  $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2004.035-png.txt
  --- /dev/null 2004-08-04 16:00:20 +0200
  +++ OpenPKG-SA-2004.035-png.txt       2004-08-04 16:00:20 +0200
  @@ -0,0 +1,130 @@
  +________________________________________________________________________
  +
  +OpenPKG Security Advisory                            The OpenPKG Project
  +http://www.openpkg.org/security.html              http://www.openpkg.org
  [EMAIL PROTECTED]                         [EMAIL PROTECTED]
  +OpenPKG-SA-2004.035                                          04-Aug-2004
  +________________________________________________________________________
  +
  +Package:             png
  +Vulnerability:       arbitrary code execution
  +OpenPKG Specific:    no
  +
  +Affected Releases:   Affected Packages:           Corrected Packages:          # 
PNG embedded
  +OpenPKG CURRENT      <= png-1.2.5-20040629        >= png-1.2.5-20040804        
#1.2.5
  +                     <= doxygen-1.3.8-20040725    >= doxygen-1.3.8-20040804    
#1.2.1
  +                     <= ghostscript-8.14-20040630 >= ghostscript-8.14-20040804 
#1.2.5
  +                     <= kde-qt-3.2.3-20040702     >= kde-qt-3.2.3-20040804     
#1.2.5
  +                     <= pdflib-6.0.0p1-20040713   >= pdflib-6.0.0p1-20040804   
#1.2.5 -pngpread.c
  +                     <= perl-tk-5.8.5-20040720    >= perl-tk-5.8.5-20040804    
#1.0.5, 1.2.5
  +                     <= qt-3.3.2-20040702         >= qt-3.3.2-20040804         
#1.2.5
  +png doxygen ghostscript kde-qt pdflib perl-tk qt
  +
  +OpenPKG 2.1          <= png-1.2.5-2.1.0           >= png-1.2.5-2.1.1           
#1.2.5
  +                     <= doxygen-1.3.7-2.1.0       >= doxygen-1.3.7-2.1.1       
#1.2.1
  +                     <= ghostscript-8.14-2.1.0    >= ghostscript-8.14-2.1.1    
#1.2.5
  +                     <= pdflib-6.0.0-2.1.0        >= pdflib-6.0.0-2.1.1        
#1.2.5 -pngpread.c
  +                     <= perl-tk-5.8.4-2.1.0       >= perl-tk-5.8.4-2.1.1       
#1.0.5, 1.2.5
  +                     <= qt-3.3.2-2.1.0            >= qt-3.3.2-2.1.1            
#1.2.5
  +png doxygen ghostscript pdflib perl-tk qt
  +
  +OpenPKG 2.0          <= png-1.2.5-2.0.2           >= png-1.2.5-2.0.3           
#1.2.5
  +                     <= doxygen-1.3.6-2.0.2       >= doxygen-1.3.6-2.0.3       
#1.2.1
  +                     <= ghostscript-8.13-2.0.2    >= ghostscript-8.13-2.0.3    
#1.2.5
  +                     <= pdflib-5.0.3-2.0.2        >= pdflib-5.0.3-2.0.3        
#1.2.5
  +                     <= perl-tk-5.8.3-2.0.2       >= perl-tk-5.8.3-2.0.3       
#1.0.5, 1.2.5
  +                     <= qt-3.2.3-2.0.2            >= qt-3.2.3-2.0.3            
#1.2.5
  +                     <= rrdtool-1.0.46-2.0.2      >= rrdtool-1.0.46-2.0.3      
#1.0.9
  +                     <= tetex-2.0.2-2.0.2         >= tetex-2.0.2-2.0.3         
#1.2.5
  +png doxygen ghostscript pdflib perl-tk qt rrdtool tetex
  +
  +Affected Releases:   Dependent Packages:
  +OpenPKG CURRENT      abiword analog apache autotrace blender cups emacs
  +                     firefox gd gdk-pixbuf ghostscript-esp gif2png gimp
  +                     gnuplot gqview graphviz gtk2 imagemagick imlib
  +                     latex2html lbreakout libwmf mozilla mplayer mrtg
  +                     nagios netpbm perl-tk php php3 php5 povray pstoedit
  +                     rrdtool scribus tetex transfig webalizer wml wv wx
  +                     xemacs xfig xine-ui xplanet xv zimg
  +
  +OpenPKG 2.1          analog apache autotrace emacs gd gdk-pixbuf gif2png
  +                     gimp gnuplot gqview graphviz gtk2 imagemagick
  +                     imlib latex2html libwmf mozilla netpbm perl-tk php
  +                     pstoedit rrdtool tetex transfig webalizer wml xfig
  +                     xv
  +
  +OpenPKG 2.0          apache emacs gd gdk-pixbuf gif2png gimp gnuplot
  +                     graphviz gtk2 imagemagick imlib latex2html libwmf
  +                     netpbm perl-tk php pstoedit transfig utotrace
  +                     webalizer wml xfig xv
  +
  +Description:
  +  According to a security advisory [0] from Chris Evans he found and
  +  fixed a couple of problems in the Portable Network Graphics (PNG)
  +  library libpng [1], some of which are security relevant. This OpenPKG
  +  update fixes all known issues.
  +
  +  A stack-based buffer overflow in libpng which can be triggered to run
  +  arbitrary code by a malicious png file. The Common Vulnerabilities and
  +  Exposures (CVE) project assigned the id CAN-2004-0597 [2] to the
  +  problem.
  +
  +  A NULL-pointer crash in libpng which can be triggered by a malicious
  +  png file. The Common Vulnerabilities and Exposures (CVE) project
  +  assigned the id CAN-2004-0598 [3] to the problem.
  +
  +  Various possible integer overflows in libpng which may have security
  +  consequences. The Common Vulnerabilities and Exposures (CVE) project
  +  assigned the id CAN-2004-0599 [4] to the problem.
  +
  +  Please check whether you are affected by running "<prefix>/bin/rpm
  +  -q png". If you have the "png" package installed and its version
  +  is affected (see above), we recommend that you immediately upgrade
  +  it (see Solution) and its dependent packages (see above), if any,
  +  too [5][6].
  +
  +Solution:
  +  Select the updated source RPM appropriate for your OpenPKG release
  +  [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror
  +  location, verify its integrity [11], build a corresponding binary RPM
  +  from it [5] and update your OpenPKG installation by applying the
  +  binary RPM [6]. For the most recent release OpenPKG 2.1, perform the
  +  following operations to permanently fix the security problem (for
  +  other releases adjust accordingly).
  +
  +  $ ftp ftp.openpkg.org
  +  ftp> bin
  +  ftp> cd release/2.1/UPD
  +  ftp> get png-1.2.5-2.1.1.src.rpm
  +  ftp> bye
  +  $ <prefix>/bin/openpkg rpm -v --checksig png-1.2.5-2.1.1.src.rpm
  +  $ <prefix>/bin/openpkg rpm --rebuild png-1.2.5-2.1.1.src.rpm
  +  $ su -
  +  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/png-1.2.5-2.1.1.*.rpm
  +
  +  Additionally, we recommend that you rebuild and reinstall
  +  all dependent packages (see above), if any, too [5][6].
  +________________________________________________________________________
  +
  +References:
  +  [0] http://www.example.com/bugfinder.html
  +  [1] http://www.libpng.org/pub/png/
  +  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
  +  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
  +  [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599
  +  [5] http://www.openpkg.org/tutorial.html#regular-source
  +  [6] http://www.openpkg.org/tutorial.html#regular-binary
  +  [7] ftp://ftp.openpkg.org/release/2.1/UPD/png-1.2.5-2.1.1.src.rpm
  +  [8] ftp://ftp.openpkg.org/release/2.0/UPD/png-1.2.5-2.0.3.src.rpm
  +  [9] ftp://ftp.openpkg.org/release/2.1/UPD/
  +  [10] ftp://ftp.openpkg.org/release/2.0/UPD/
  +  [11] http://www.openpkg.org/security.html#signature
  +________________________________________________________________________
  +
  +For security reasons, this advisory was digitally signed with the
  +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
  +OpenPKG project which you can retrieve from http://pgp.openpkg.org and
  +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
  +for details on how to verify the integrity of this advisory.
  +________________________________________________________________________
  +
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...

Reply via email to