Bug 175405
| Summary: | CVE-2005-3964 Open Motif libUil Buffer Overflows | ||
|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | John Dalbec <jpdalbec> |
| Component: | openmotif | Assignee: | Fedora Legacy Bugs <bugs> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | deisenst |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| URL: | http://www.securityfocus.com/bid/15686/info | ||
| Whiteboard: | impact=moderate, LEGACY, rh73, rh90, 1, 2, 3, NEEDSWORK | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-08-30 20:01:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 174815 | ||
| Bug Blocks: | |||
|
Description
John Dalbec
2005-12-09 20:52:03 UTC
05.49.27 CVE: Not Available Platform: Cross Platform Title: Open Motif libUil Diag_issue_diagnostic Buffer Overflow Description: Open Motif is an open version of the Motif GUI toolkit. A buffer overflow vulnerability affects libUil and can leave applications which link to the library vulnerable. The issue exists in the "diag_issue_diagnostic()" function and is caused due to the use of the "vsprintf()" libc procedure. Open Motif version 2.2.3 is affected. Ref: http://www.securityfocus.com/bid/15684/info I looked up both bid 15684 and 15686 at securityfocus, and it appears that these two vulnerabilities are both addressed in CVE-2005-3964 (though that CVE is not mentioned in either bid). So I believe that these issues are the same as what this bug ticket was opened for. On April 4th, RHEL issued RHSA-2006:0272 for this issue, for RHEL 2.1, 3, & 4. <http://rhn.redhat.com/errata/RHSA-2006-0272.html> This leads me to believe that this overflow issue affects all of our distros. "A number of buffer overflow flaws were discovered in OpenMotif's libUil library. It is possible for an attacker to execute arbitrary code as a victim who has been tricked into executing a program linked against OpenMotif, which then loads a malicious User Interface Language (UIL) file. (CVE-2005-3964) "Users of OpenMotif are advised to upgrade to these erratum packages, which contain a backported security patch to correct this issue." This issue was tackled for RHEL in Bug #174814, and should be tackled for FC4 in Bug #174815 (but doesn't seem to be yet). This issue has been tackled by Thomas Woerner for FC4 in Bug #174815 now, but still needs fixing for the other Fedora-Legacy-supported releases -- at least FC3 now. Even though Legacy has dropped support for FC1 and FC2 at this time, should we still issue updated packages for openmotif for those (since this bug was opened when we were still supporting those releases?) (In reply to comment #3) > > Even though Legacy has dropped support for FC1 and FC2 at this time, should we > still issue updated packages for openmotif for those (since this bug was opened > when we were still supporting those releases?) yes, if possible Fedora Legacy project has ended. These will not be fixed by Fedora Legacy. |