Bug 174479 - CVE-2005-3350 CAN-2005-2974 libungif vulnerabilities
CVE-2005-3350 CAN-2005-2974 libungif vulnerabilities
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: libungif (Show other bugs)
unspecified
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://rhn.redhat.com/errata/RHSA-200...
LEGACY, rh73, rh90, 1, 2
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-29 09:40 EST by John Dalbec
Modified: 2007-04-18 13:34 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-16 19:49:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Dalbec 2005-11-29 09:40:42 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20051012 Netscape/8.0.4

Description of problem:
05.45.11 CVE: CVE-2005-3350
Platform: Unix
Title: libungif Null Pointer Dereference Denial of Service
Description: libungif is a shared library of functions for loading and
saving GIF format images. It is prone to a denial of service
vulnerability. The library is susceptible to a null pointer
dereference when handling malformed GIF images. libungif versions
4.1.3 and earlier are vulnerable.
Ref: http://rhn.redhat.com/errata/RHSA-2005-828.html 

05.45.12 CVE: CAN-2005-2974
Platform: Cross Platform
Title: Libungif Colormap Handling Memory Corruption
Description: Libungif is a library used for reading and writing gif
images. It is prone to a memory corruption vulnerability. This issue
results from a boundary condition error and may allow an attacker to
trigger a denial of service condition or potentially execute arbitrary
code. Libungif versions 4.1.3 and 4.1 are vulnerable.
Ref: http://www.securityfocus.com/advisories/9660 

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:
Comment 1 Marc Deslauriers 2006-02-19 18:31:44 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

14238ce127e33a9d933d49b7287989b18c32e0c7  7.3/libungif-4.1.0-10.1.legacy.src.rpm
f5c29f5f40175d707139e86b1ef33dfc56a87135  9/libungif-4.1.0-15.1.legacy.src.rpm
f3384d782ddf9f17c75f62fc874e46bfd6966b53  1/libungif-4.1.0-16.1.legacy.src.rpm
71e8ce20a8a4ce09ff8f5e04d4a516cb1e79a8d0  2/libungif-4.1.0-17.2.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/libungif-4.1.0-10.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libungif-4.1.0-15.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/libungif-4.1.0-16.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/libungif-4.1.0-17.2.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD+QGeLMAs/0C4zNoRAncAAJ0ZcBNWevkvnxn2sReom+a55CrreQCfZo+A
sXLgJQGqRTuLaMrpq6K3TUs=
=bT/A
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2006-02-20 01:46:19 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patch verified to come from RHEL
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
14238ce127e33a9d933d49b7287989b18c32e0c7  libungif-4.1.0-10.1.legacy.src.rpm
f5c29f5f40175d707139e86b1ef33dfc56a87135  libungif-4.1.0-15.1.legacy.src.rpm
f3384d782ddf9f17c75f62fc874e46bfd6966b53  libungif-4.1.0-16.1.legacy.src.rpm
71e8ce20a8a4ce09ff8f5e04d4a516cb1e79a8d0  libungif-4.1.0-17.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD+WbgGHbTkzxSL7QRAiO4AJ9ZAS0ao1VCICCcLT2Ov1sgw0ttLwCggvKP
+W2TfiTnvNOROrS5lYnfZzc=
=rCdQ
-----END PGP SIGNATURE-----
Comment 3 Marc Deslauriers 2006-02-23 19:05:17 EST
Packages were sent to updates-testing
Comment 4 Pekka Savola 2006-03-01 02:42:54 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signatures OK, upgrades OK.
Tested ImageMagick which depends on this by looking at a couple of
GIFs, works OK.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEBVECGHbTkzxSL7QRAuikAJ9+HTnpxqLU8htlLtsAWTpaj4WMVwCfQsma
x6odO3t+7KDuD1PYVGuFFxU=
=5niN
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2006-03-10 02:16:20 EST
Timeout over.
Comment 6 Marc Deslauriers 2006-03-16 19:49:24 EST
Packages were pushed to updates.

Note You need to log in before you can comment on or make changes to this bug.