During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was
discovered in the BMP image processor of gtk2. An attacker could create a
carefully crafted BMP file which would cause an application to enter an
infinite loop and not respond to user input when the file was opened by a
victim. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0753 to this issue.

During a security audit Chris Evans discovered a stack and a heap overflow
in the XPM image decoder. An attacker could create a carefully crafted XPM
file which could cause an application linked with gtk2 to crash or possibly
execute arbitrary code when the file was opened by a victim.
(CAN-2004-0782, CAN-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image decoder.
An attacker could create a carefully crafted ICO file which could cause an
application linked with gtk2 to crash when the file was opened by a victim.
(CAN-2004-0788)

This updated gtk2 package also fixes a few key combination bugs on various
X servers, such as Hummingbird, ReflectionX, and X-Win32. If a server was
configured to use the Swiss German, Swiss French, or France French keyboard
layouts, Mode_Switched characters were unable to be entered within GTK
based applications.

See:
https://rhn.redhat.com/errata/RHSA-2004-466.html



------- Additional Comments From michal 2004-09-15 19:38:53 ----

Created an attachment (id=843)
patch for rh73 to fix issues with xmp and ico

This is a fix for CAN-2004-0782, CAN-2004-0783 (xmp decoder issues) and
CAN-2004-0788 (ico decoder issues) to be applied on the top of
gtk2-2.0.2-4 as distributed with the original RH73.  As far as bmp is
concerned there is precisely the same issue as with gdk-pixbuf.  The
code is different, it is not even clear if it is affected by that bug,
and "borrowing" io-bmp.c from a fixed gdk-pixbuf-0.22.0 is, unfortunately,
not straightforward.

A code recompiled with this patch so far is doing fine.  The library is not
that widely used (but with flash-plugin on a list of "customers").



------- Additional Comments From marcdeslauriers 2004-09-19 13:09:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for 7.3 and 9 to QA:

Patches in 9 are based on rhel3. Patch in 7.3 is Michal's.

Changelog 7.3:
* Sun Sep 19 2004 Marc Deslauriers <marcdeslauriers> 2.0.2-4.1.legacy
- - Added security patch for CAN-2004-0782, CAN-2004-0783, CAN-2004-0788

Changelog 9:
* Sun Sep 19 2004 Marc Deslauriers <marcdeslauriers> 2.2.1-4.1.legacy
- - add security fixes for CAN-2004-0753, CAN-2004-0782,
  CAN-2004-0783, CAN-2004-0788

7.3:
0978ec2ee73f42f616ccdfc2ac1f3223249f250a  gtk2-2.0.2-4.1.legacy.i386.rpm
3a70246ab69d250b8bd0acc77bfe58924e8402c1  gtk2-2.0.2-4.1.legacy.src.rpm
d93d424231ab6eb9257200f2c335a4d6a53d4259  gtk2-devel-2.0.2-4.1.legacy.i386.rpm

9:
d16738071203084eae5b8075124542693ece6241  gtk2-2.2.1-4.1.legacy.i386.rpm
b6b9107c6cb7d4e54cbdd78ccb996e75a458b1a2  gtk2-2.2.1-4.1.legacy.src.rpm
47668f55e73904ae4d4ff89981245210343521b1  gtk2-devel-2.2.1-4.1.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/gtk2-2.0.2-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/gtk2-2.0.2-4.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/gtk2-devel-2.0.2-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/gtk2-2.2.1-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/gtk2-2.2.1-4.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/gtk2-devel-2.2.1-4.1.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBThG1LMAs/0C4zNoRAtckAJ4plT/kLFhOzxRtOTmxSlLpJM0sBgCgnLiM
7VOAeDxI8ilDKXdeJpvyEY0=
=1l5u
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-10-21 12:27:14 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
3a70246ab69d250b8bd0acc77bfe58924e8402c1  gtk2-2.0.2-4.1.legacy.src.rpm
 
 - gtk+-2.0.2-sec.patch is fairly straightforward, looks good
 - spec file looks good; patches all applied fine
 - package built without issue
 - binary package fuzzily matches redhat's gtk2-2.0.2-4, with the caveot
   that it linked against libgdk-x11-2.0.so.0.0.2 instead of
   libgdk-x11-2.0.so.0; but that will go away on mach
 - nothing really uses gtk2 on redhat 7.3;  I compiled gaim-1.0.2, which
   gave the -devel package a good workout.  It ran just fine.
 
PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBeDevyQ+yTHz+jJkRAvX7AJ45E3RxyCfFSqQvhmRMzSspiqm6DwCfTfEU
BgSHbZPgHNpMCAy6IJeGc8g=
=0a6T
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2004-12-15 09:45:00 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reviewed RHL9 SRPM using rpm-build-compare.sh.

 - tarball integrity OK
 - spec file changes OK
 - patches identical to those in RHEL3, OK.
 - compiling or running not tested.

+PUBLISH

b6b9107c6cb7d4e54cbdd78ccb996e75a458b1a2  gtk2-2.2.1-4.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBwJQMGHbTkzxSL7QRAjLbAKCVDMHoDOIyYOy1VvS6wM4fGJEw0wCgjuk+
NdD4p0fkiAtn2L6KFcneb28=
=ccdv
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-02-21 09:07:58 ----

Reminder -- This has been in the "Packages waiting to be built for
updates-testing" pile for quite some time now...




------- Additional Comments From dom 2005-03-06 14:10:57 ----

packages were released to updates-testing



------- Bug moved to this database by dkl 2005-03-30 18:27 -------

This bug previously known as bug 2073 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2073
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
patch for rh73 to fix issues with xmp and ico
https://bugzilla.fedora.us/attachment.cgi?action=view&id=843

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.