During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue. During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CAN-2004-0788) This updated gtk2 package also fixes a few key combination bugs on various X servers, such as Hummingbird, ReflectionX, and X-Win32. If a server was configured to use the Swiss German, Swiss French, or France French keyboard layouts, Mode_Switched characters were unable to be entered within GTK based applications. See: https://rhn.redhat.com/errata/RHSA-2004-466.html ------- Additional Comments From michal 2004-09-15 19:38:53 ---- Created an attachment (id=843) patch for rh73 to fix issues with xmp and ico This is a fix for CAN-2004-0782, CAN-2004-0783 (xmp decoder issues) and CAN-2004-0788 (ico decoder issues) to be applied on the top of gtk2-2.0.2-4 as distributed with the original RH73. As far as bmp is concerned there is precisely the same issue as with gdk-pixbuf. The code is different, it is not even clear if it is affected by that bug, and "borrowing" io-bmp.c from a fixed gdk-pixbuf-0.22.0 is, unfortunately, not straightforward. A code recompiled with this patch so far is doing fine. The library is not that widely used (but with flash-plugin on a list of "customers"). ------- Additional Comments From marcdeslauriers 2004-09-19 13:09:21 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for 7.3 and 9 to QA: Patches in 9 are based on rhel3. Patch in 7.3 is Michal's. Changelog 7.3: * Sun Sep 19 2004 Marc Deslauriers <marcdeslauriers> 2.0.2-4.1.legacy - - Added security patch for CAN-2004-0782, CAN-2004-0783, CAN-2004-0788 Changelog 9: * Sun Sep 19 2004 Marc Deslauriers <marcdeslauriers> 2.2.1-4.1.legacy - - add security fixes for CAN-2004-0753, CAN-2004-0782, CAN-2004-0783, CAN-2004-0788 7.3: 0978ec2ee73f42f616ccdfc2ac1f3223249f250a gtk2-2.0.2-4.1.legacy.i386.rpm 3a70246ab69d250b8bd0acc77bfe58924e8402c1 gtk2-2.0.2-4.1.legacy.src.rpm d93d424231ab6eb9257200f2c335a4d6a53d4259 gtk2-devel-2.0.2-4.1.legacy.i386.rpm 9: d16738071203084eae5b8075124542693ece6241 gtk2-2.2.1-4.1.legacy.i386.rpm b6b9107c6cb7d4e54cbdd78ccb996e75a458b1a2 gtk2-2.2.1-4.1.legacy.src.rpm 47668f55e73904ae4d4ff89981245210343521b1 gtk2-devel-2.2.1-4.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/gtk2-2.0.2-4.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/gtk2-2.0.2-4.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/gtk2-devel-2.0.2-4.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/gtk2-2.2.1-4.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/gtk2-2.2.1-4.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/gtk2-devel-2.2.1-4.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBThG1LMAs/0C4zNoRAtckAJ4plT/kLFhOzxRtOTmxSlLpJM0sBgCgnLiM 7VOAeDxI8ilDKXdeJpvyEY0= =1l5u -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-10-21 12:27:14 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 3a70246ab69d250b8bd0acc77bfe58924e8402c1 gtk2-2.0.2-4.1.legacy.src.rpm - gtk+-2.0.2-sec.patch is fairly straightforward, looks good - spec file looks good; patches all applied fine - package built without issue - binary package fuzzily matches redhat's gtk2-2.0.2-4, with the caveot that it linked against libgdk-x11-2.0.so.0.0.2 instead of libgdk-x11-2.0.so.0; but that will go away on mach - nothing really uses gtk2 on redhat 7.3; I compiled gaim-1.0.2, which gave the -devel package a good workout. It ran just fine. PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBeDevyQ+yTHz+jJkRAvX7AJ45E3RxyCfFSqQvhmRMzSspiqm6DwCfTfEU BgSHbZPgHNpMCAy6IJeGc8g= =0a6T -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-15 09:45:00 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reviewed RHL9 SRPM using rpm-build-compare.sh. - tarball integrity OK - spec file changes OK - patches identical to those in RHEL3, OK. - compiling or running not tested. +PUBLISH b6b9107c6cb7d4e54cbdd78ccb996e75a458b1a2 gtk2-2.2.1-4.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBwJQMGHbTkzxSL7QRAjLbAKCVDMHoDOIyYOy1VvS6wM4fGJEw0wCgjuk+ NdD4p0fkiAtn2L6KFcneb28= =ccdv -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-02-21 09:07:58 ---- Reminder -- This has been in the "Packages waiting to be built for updates-testing" pile for quite some time now... ------- Additional Comments From dom 2005-03-06 14:10:57 ---- packages were released to updates-testing ------- Bug moved to this database by dkl 2005-03-30 18:27 ------- This bug previously known as bug 2073 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2073 Originally filed under the Fedora Legacy product and Package request component. Attachments: patch for rh73 to fix issues with xmp and ico https://bugzilla.fedora.us/attachment.cgi?action=view&id=843 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
As nobody appears to be verifying this, it might make sense to wait for #155510 (waiting for PUBLISH), which fixes and additional gtk issue.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RHL7.3 verify sha1: 804021fcabd265dbf90eaf0ea5b5fa8e8e60a12b gtk2-2.0.2-4.1.legacy.1.i386.rpm 3e1abc389122c5a5a76c4007d9c59584aabd0234 gtk2-devel-2.0.2-4.1.legacy.1.i386.rpm signatures: tk2-2.0.2-4.1.legacy.1.i386.rpm: md5 gpg OK gtk2-devel-2.0.2-4.1.legacy.1.i386.rpm: md5 gpg OK packages install with out any errors or warnings. Gaim, which uses libgtk-x11-2.0.so.0 runs without any problems. +VERIFY RHL7.3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFChOf7+CqvSzp9LOwRAvyRAJ9Dow72/xMViyrExl4HqLEw0/g7dwCeLeo7 fwXZPyoX7YKSVky97bpVV68= =26hK -----END PGP SIGNATURE-----
oh, sorry Pekka.. I missed your comment about waiting for #155510. I will wait to do the rhl9 verify.
Unless superceded, this timeouts in 4 weeks.
The newer update is in "needsbuild", so closing this (hopefully we can get verify for the newer package when it has been rebuilt). *** This bug has been marked as a duplicate of 155510 ***