Bug 152783 - CAN-2004-0753,0782,0783,0788 gtk2 multiple problems
CAN-2004-0753,0782,0783,0788 gtk2 multiple problems
Status: CLOSED DUPLICATE of bug 155510
Product: Fedora Legacy
Classification: Retired
Component: gtk2 (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
LEGACY, QA, rh73, rh90, verify-rhl9, ...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-15 15:29 EDT by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-18 17:04:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:27:19 EST
During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was
discovered in the BMP image processor of gtk2. An attacker could create a
carefully crafted BMP file which would cause an application to enter an
infinite loop and not respond to user input when the file was opened by a
victim. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0753 to this issue.

During a security audit Chris Evans discovered a stack and a heap overflow
in the XPM image decoder. An attacker could create a carefully crafted XPM
file which could cause an application linked with gtk2 to crash or possibly
execute arbitrary code when the file was opened by a victim.
(CAN-2004-0782, CAN-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image decoder.
An attacker could create a carefully crafted ICO file which could cause an
application linked with gtk2 to crash when the file was opened by a victim.
(CAN-2004-0788)

This updated gtk2 package also fixes a few key combination bugs on various
X servers, such as Hummingbird, ReflectionX, and X-Win32. If a server was
configured to use the Swiss German, Swiss French, or France French keyboard
layouts, Mode_Switched characters were unable to be entered within GTK
based applications.

See:
https://rhn.redhat.com/errata/RHSA-2004-466.html



------- Additional Comments From michal@harddata.com 2004-09-15 19:38:53 ----

Created an attachment (id=843)
patch for rh73 to fix issues with xmp and ico

This is a fix for CAN-2004-0782, CAN-2004-0783 (xmp decoder issues) and
CAN-2004-0788 (ico decoder issues) to be applied on the top of
gtk2-2.0.2-4 as distributed with the original RH73.  As far as bmp is
concerned there is precisely the same issue as with gdk-pixbuf.  The
code is different, it is not even clear if it is affected by that bug,
and "borrowing" io-bmp.c from a fixed gdk-pixbuf-0.22.0 is, unfortunately,
not straightforward.

A code recompiled with this patch so far is doing fine.  The library is not
that widely used (but with flash-plugin on a list of "customers").



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-19 13:09:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for 7.3 and 9 to QA:

Patches in 9 are based on rhel3. Patch in 7.3 is Michal's.

Changelog 7.3:
* Sun Sep 19 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 2.0.2-4.1.legacy
- - Added security patch for CAN-2004-0782, CAN-2004-0783, CAN-2004-0788

Changelog 9:
* Sun Sep 19 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 2.2.1-4.1.legacy
- - add security fixes for CAN-2004-0753, CAN-2004-0782,
  CAN-2004-0783, CAN-2004-0788

7.3:
0978ec2ee73f42f616ccdfc2ac1f3223249f250a  gtk2-2.0.2-4.1.legacy.i386.rpm
3a70246ab69d250b8bd0acc77bfe58924e8402c1  gtk2-2.0.2-4.1.legacy.src.rpm
d93d424231ab6eb9257200f2c335a4d6a53d4259  gtk2-devel-2.0.2-4.1.legacy.i386.rpm

9:
d16738071203084eae5b8075124542693ece6241  gtk2-2.2.1-4.1.legacy.i386.rpm
b6b9107c6cb7d4e54cbdd78ccb996e75a458b1a2  gtk2-2.2.1-4.1.legacy.src.rpm
47668f55e73904ae4d4ff89981245210343521b1  gtk2-devel-2.2.1-4.1.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/gtk2-2.0.2-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/gtk2-2.0.2-4.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/gtk2-devel-2.0.2-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/gtk2-2.2.1-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/gtk2-2.2.1-4.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/gtk2-devel-2.2.1-4.1.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBThG1LMAs/0C4zNoRAtckAJ4plT/kLFhOzxRtOTmxSlLpJM0sBgCgnLiM
7VOAeDxI8ilDKXdeJpvyEY0=
=1l5u
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley@ibnads.com 2004-10-21 12:27:14 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
3a70246ab69d250b8bd0acc77bfe58924e8402c1  gtk2-2.0.2-4.1.legacy.src.rpm
 
 - gtk+-2.0.2-sec.patch is fairly straightforward, looks good
 - spec file looks good; patches all applied fine
 - package built without issue
 - binary package fuzzily matches redhat's gtk2-2.0.2-4, with the caveot
   that it linked against libgdk-x11-2.0.so.0.0.2 instead of
   libgdk-x11-2.0.so.0; but that will go away on mach
 - nothing really uses gtk2 on redhat 7.3;  I compiled gaim-1.0.2, which
   gave the -devel package a good workout.  It ran just fine.
 
PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBeDevyQ+yTHz+jJkRAvX7AJ45E3RxyCfFSqQvhmRMzSspiqm6DwCfTfEU
BgSHbZPgHNpMCAy6IJeGc8g=
=0a6T
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2004-12-15 09:45:00 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reviewed RHL9 SRPM using rpm-build-compare.sh.

 - tarball integrity OK
 - spec file changes OK
 - patches identical to those in RHEL3, OK.
 - compiling or running not tested.

+PUBLISH

b6b9107c6cb7d4e54cbdd78ccb996e75a458b1a2  gtk2-2.2.1-4.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBwJQMGHbTkzxSL7QRAjLbAKCVDMHoDOIyYOy1VvS6wM4fGJEw0wCgjuk+
NdD4p0fkiAtn2L6KFcneb28=
=ccdv
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-02-21 09:07:58 ----

Reminder -- This has been in the "Packages waiting to be built for
updates-testing" pile for quite some time now...




------- Additional Comments From dom@earth.li 2005-03-06 14:10:57 ----

packages were released to updates-testing



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:27 -------

This bug previously known as bug 2073 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2073
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
patch for rh73 to fix issues with xmp and ico
https://bugzilla.fedora.us/attachment.cgi?action=view&id=843

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Pekka Savola 2005-05-11 05:05:32 EDT
As nobody appears to be verifying this, it might make sense to wait for #155510
(waiting for PUBLISH), which fixes and additional gtk issue.
Comment 2 mschout 2005-05-13 13:46:43 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RHL7.3 verify

sha1:
804021fcabd265dbf90eaf0ea5b5fa8e8e60a12b  gtk2-2.0.2-4.1.legacy.1.i386.rpm
3e1abc389122c5a5a76c4007d9c59584aabd0234  gtk2-devel-2.0.2-4.1.legacy.1.i386.rpm

signatures:
tk2-2.0.2-4.1.legacy.1.i386.rpm: md5 gpg OK
gtk2-devel-2.0.2-4.1.legacy.1.i386.rpm: md5 gpg OK

packages install with out any errors or warnings.

Gaim, which uses libgtk-x11-2.0.so.0 runs without any problems.

+VERIFY RHL7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFChOf7+CqvSzp9LOwRAvyRAJ9Dow72/xMViyrExl4HqLEw0/g7dwCeLeo7
fwXZPyoX7YKSVky97bpVV68=
=26hK
-----END PGP SIGNATURE-----
Comment 3 mschout 2005-05-13 13:49:47 EDT
oh, sorry Pekka.. I missed your comment about waiting for #155510. I will wait
to do the rhl9 verify.
Comment 4 Pekka Savola 2005-06-16 08:35:52 EDT
Unless superceded, this timeouts in 4 weeks.
Comment 5 Pekka Savola 2005-06-18 17:04:21 EDT
The newer update is in "needsbuild", so closing this (hopefully we can get verify
for the newer package when it has been rebuilt).

*** This bug has been marked as a duplicate of 155510 ***

Note You need to log in before you can comment on or make changes to this bug.