__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Qt Package Vulnerabilities [Red Hat Security Advisory RHSA-2004:414-19] August 23, 2004 17:00 GMT Number O-201 [REVISED 24 Aug 2004] [REVISED 30 Aug 2004] ______________________________________________________________________________ PROBLEM: Qt is a software toolkit used in writing and maintaining graphical user interface applications for the X Window System. The library is used by software such as KDE (for Linux desktop) and Adobe Photoshop. Security flaws have been found in the qt packages. PLATFORM: Qt versions prior to 3.3.3 Red Hat Desktop (v.3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Red Hat Fedora Core 1 and Core 2 Debian GNU/Linux 3.0 (woody) DAMAGE: An attacker could create a BMP file in such a way as to cause an application linked to Qt to crash or possibly execute arbitrary code when opened by a victim. Also, flaws in GIF, XPM, and JPEG decoders may cause Qt to crash. SOLUTION: Install the security patch. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Exploiting this vulnerability may allow ASSESSMENT: execution of arbitrary code with the privileges of the user viewing the image. Also, an attacker may craft an image file in such a way as to cause Qt to crash when opened by a victim. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-201.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-414.html ADDITIONAL LINKS: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/ http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ Debian - DSA-542-1: http://www.debian.org/security/2004/dsa-542 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0691, CAN-2004-0692, CAN-2004-0693 ______________________________________________________________________________ REVISION HISTORY: 8/24/04 - added link to Red Hat Fedora updates. 8/30/04 - added link to Debian Security Avisory dsa-542-1. [***** Start Red Hat Security Advisory RHSA-2004:414-19 *****] Updated qt packages fix security issues Advisory: RHSA-2004:414-19 Last updated on: 2004-08-20 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2004-0691 CAN-2004-0692 CAN-2004-0693 back Security Advisory Security Advisory Details: Updated qt packages that fix security issues in several of the image decoders are now available. Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. During a security audit, Chris Evans discovered a heap overflow in the BMP image decoder in Qt versions prior to 3.3.3. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with Qt to crash or possibly execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0691 to this issue. Additionally, various flaws were discovered in the GIF, XPM, and JPEG decoders in Qt versions prior to 3.3.3. An attacker could create carefully crafted image files in such a way that it could cause an application linked against Qt to crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0692 and CAN-2004-0693 to these issues. Users of Qt should update to these updated packages which contain backported patches and are not vulnerable to these issues. Updated packages: Red Hat Desktop (v. 3) AMD64: qt-3.1.2-13.4.x86_64.rpm 24fbbe3a8cc3a9636e64cbecb62c52c1 qt-config-3.1.2-13.4.x86_64.rpm a684d66936b37ed87281ce2f8a49448b qt-designer-3.1.2-13.4.x86_64.rpm d945dc65e4120b87f0fa6c0a77c129ee qt-devel-3.1.2-13.4.x86_64.rpm 814f662f0561c1dc07cb60a287487494 qt-MySQL-3.1.2-13.4.x86_64.rpm b4ca1ae5a331c4d30d75d2dcd1e53280 SRPMS: qt-3.1.2-13.4.src.rpm f798532e2259e3027eb64a86f471c989 i386: qt-3.1.2-13.4.i386.rpm 171e31325a6974fe6b3161b0dd935e05 qt-config-3.1.2-13.4.i386.rpm c5372ac10529b611504c48fd1876d32a qt-designer-3.1.2-13.4.i386.rpm dde05008907a4402aeec64bd1fef25d8 qt-devel-3.1.2-13.4.i386.rpm 7e9621c8793aeece8c6697a301fdaf85 qt-MySQL-3.1.2-13.4.i386.rpm 53450013bb108936c88d7a68797400b5 Red Hat Enterprise Linux AS (v. 2.1) SRPMS: qt-2.3.1-10.src.rpm 3b684906082e180dddd38404dca633f4 i386: qt-2.3.1-10.i386.rpm 4abae89892524349c1413e9edfe1c580 qt-designer-2.3.1-10.i386.rpm ba3283b0ecab676ca709746c7b9aad17 qt-devel-2.3.1-10.i386.rpm f9542947d96f0a40694026bddc6088b3 qt-static-2.3.1-10.i386.rpm 08a3108d33c0391926515c8831e80e32 qt-Xt-2.3.1-10.i386.rpm f8a7bc552d89a93c8de95d31bbf3fb6c ia64: qt-2.3.1-10.ia64.rpm 7a5212ecdd3bdfd6e7c22430cab707ca qt-designer-2.3.1-10.ia64.rpm 62890a5783dea02beb1bd19e2c2b9476 qt-devel-2.3.1-10.ia64.rpm 4dc9f6a9177f16561371b41701cc8ca3 qt-static-2.3.1-10.ia64.rpm f5bb921423a761d4412a45d8407960e9 qt-Xt-2.3.1-10.ia64.rpm 163badec57860c0751ee49a74a863197 Red Hat Enterprise Linux AS (v. 3) AMD64: qt-3.1.2-13.4.x86_64.rpm 24fbbe3a8cc3a9636e64cbecb62c52c1 qt-config-3.1.2-13.4.x86_64.rpm a684d66936b37ed87281ce2f8a49448b qt-designer-3.1.2-13.4.x86_64.rpm d945dc65e4120b87f0fa6c0a77c129ee qt-devel-3.1.2-13.4.x86_64.rpm 814f662f0561c1dc07cb60a287487494 qt-MySQL-3.1.2-13.4.x86_64.rpm b4ca1ae5a331c4d30d75d2dcd1e53280 SRPMS: qt-3.1.2-13.4.src.rpm f798532e2259e3027eb64a86f471c989 i386: qt-3.1.2-13.4.i386.rpm 171e31325a6974fe6b3161b0dd935e05 qt-config-3.1.2-13.4.i386.rpm c5372ac10529b611504c48fd1876d32a qt-designer-3.1.2-13.4.i386.rpm dde05008907a4402aeec64bd1fef25d8 qt-devel-3.1.2-13.4.i386.rpm 7e9621c8793aeece8c6697a301fdaf85 qt-MySQL-3.1.2-13.4.i386.rpm 53450013bb108936c88d7a68797400b5 ia64: qt-3.1.2-13.4.ia64.rpm 0162f98d41303ed47435fd634a49aa16 qt-config-3.1.2-13.4.ia64.rpm 0b81a3f2c8ab00775d533c30129fe314 qt-designer-3.1.2-13.4.ia64.rpm d7ff6cb677ea02273909f44018a4de02 qt-devel-3.1.2-13.4.ia64.rpm c93acbc881f899cbd944f74c2710c1dd qt-MySQL-3.1.2-13.4.ia64.rpm 83f81146ad6ff84575f221104e109a10 ppc: qt-3.1.2-13.4.ppc.rpm 342ed7861c4723143f22841155837163 qt-config-3.1.2-13.4.ppc.rpm d89c0631d249d3596cb0b7f3715d8c71 qt-designer-3.1.2-13.4.ppc.rpm b5c58797337ec1c953a127d145241d70 qt-devel-3.1.2-13.4.ppc.rpm 4138557b0f597ede980c64e4e74debd3 qt-MySQL-3.1.2-13.4.ppc.rpm f95779e3c785a8ca620b795a50c3a2b7 s390: qt-3.1.2-13.4.s390.rpm 57951d45d98f46fe6f2326b16f23ea1b qt-config-3.1.2-13.4.s390.rpm b9f50cd8f014e9e39249dbfbe17b1398 qt-designer-3.1.2-13.4.s390.rpm 2c140a0776e2ce98c273b7e628d86d23 qt-devel-3.1.2-13.4.s390.rpm 5e23428d4621c10ca60bf29d7d2a6ed7 qt-MySQL-3.1.2-13.4.s390.rpm 98b7677e8b7fa4d84583cfe8e92a91f4 s390x: qt-3.1.2-13.4.s390x.rpm 8f95df939142d43f0078f5a770850bb2 qt-config-3.1.2-13.4.s390x.rpm 73c6e602b9a45864a82d16314deba9c0 qt-designer-3.1.2-13.4.s390x.rpm eae10bfa4b34cfbfd29f09e4d7368728 qt-devel-3.1.2-13.4.s390x.rpm fff3b6f404743fa76b5ba21f3a18e20d qt-MySQL-3.1.2-13.4.s390x.rpm 5cc08910b564eed93b3f78c05261a176 Red Hat Enterprise Linux ES (v. 2.1) SRPMS: qt-2.3.1-10.src.rpm 3b684906082e180dddd38404dca633f4 i386: qt-2.3.1-10.i386.rpm 4abae89892524349c1413e9edfe1c580 qt-designer-2.3.1-10.i386.rpm ba3283b0ecab676ca709746c7b9aad17 qt-devel-2.3.1-10.i386.rpm f9542947d96f0a40694026bddc6088b3 qt-static-2.3.1-10.i386.rpm 08a3108d33c0391926515c8831e80e32 qt-Xt-2.3.1-10.i386.rpm f8a7bc552d89a93c8de95d31bbf3fb6c Red Hat Enterprise Linux ES (v. 3) AMD64: qt-3.1.2-13.4.x86_64.rpm 24fbbe3a8cc3a9636e64cbecb62c52c1 qt-config-3.1.2-13.4.x86_64.rpm a684d66936b37ed87281ce2f8a49448b qt-designer-3.1.2-13.4.x86_64.rpm d945dc65e4120b87f0fa6c0a77c129ee qt-devel-3.1.2-13.4.x86_64.rpm 814f662f0561c1dc07cb60a287487494 qt-MySQL-3.1.2-13.4.x86_64.rpm b4ca1ae5a331c4d30d75d2dcd1e53280 SRPMS: qt-3.1.2-13.4.src.rpm f798532e2259e3027eb64a86f471c989 i386: qt-3.1.2-13.4.i386.rpm 171e31325a6974fe6b3161b0dd935e05 qt-config-3.1.2-13.4.i386.rpm c5372ac10529b611504c48fd1876d32a qt-designer-3.1.2-13.4.i386.rpm dde05008907a4402aeec64bd1fef25d8 qt-devel-3.1.2-13.4.i386.rpm 7e9621c8793aeece8c6697a301fdaf85 qt-MySQL-3.1.2-13.4.i386.rpm 53450013bb108936c88d7a68797400b5 ia64: qt-3.1.2-13.4.ia64.rpm 0162f98d41303ed47435fd634a49aa16 qt-config-3.1.2-13.4.ia64.rpm 0b81a3f2c8ab00775d533c30129fe314 qt-designer-3.1.2-13.4.ia64.rpm d7ff6cb677ea02273909f44018a4de02 qt-devel-3.1.2-13.4.ia64.rpm c93acbc881f899cbd944f74c2710c1dd qt-MySQL-3.1.2-13.4.ia64.rpm 83f81146ad6ff84575f221104e109a10 Red Hat Enterprise Linux WS (v. 2.1) SRPMS: qt-2.3.1-10.src.rpm 3b684906082e180dddd38404dca633f4 i386: qt-2.3.1-10.i386.rpm 4abae89892524349c1413e9edfe1c580 qt-designer-2.3.1-10.i386.rpm ba3283b0ecab676ca709746c7b9aad17 qt-devel-2.3.1-10.i386.rpm f9542947d96f0a40694026bddc6088b3 qt-static-2.3.1-10.i386.rpm 08a3108d33c0391926515c8831e80e32 qt-Xt-2.3.1-10.i386.rpm f8a7bc552d89a93c8de95d31bbf3fb6c Red Hat Enterprise Linux WS (v. 3) AMD64: qt-3.1.2-13.4.x86_64.rpm 24fbbe3a8cc3a9636e64cbecb62c52c1 qt-config-3.1.2-13.4.x86_64.rpm a684d66936b37ed87281ce2f8a49448b qt-designer-3.1.2-13.4.x86_64.rpm d945dc65e4120b87f0fa6c0a77c129ee qt-devel-3.1.2-13.4.x86_64.rpm 814f662f0561c1dc07cb60a287487494 qt-MySQL-3.1.2-13.4.x86_64.rpm b4ca1ae5a331c4d30d75d2dcd1e53280 SRPMS: qt-3.1.2-13.4.src.rpm f798532e2259e3027eb64a86f471c989 i386: qt-3.1.2-13.4.i386.rpm 171e31325a6974fe6b3161b0dd935e05 qt-config-3.1.2-13.4.i386.rpm c5372ac10529b611504c48fd1876d32a qt-designer-3.1.2-13.4.i386.rpm dde05008907a4402aeec64bd1fef25d8 qt-devel-3.1.2-13.4.i386.rpm 7e9621c8793aeece8c6697a301fdaf85 qt-MySQL-3.1.2-13.4.i386.rpm 53450013bb108936c88d7a68797400b5 ia64: qt-3.1.2-13.4.ia64.rpm 0162f98d41303ed47435fd634a49aa16 qt-config-3.1.2-13.4.ia64.rpm 0b81a3f2c8ab00775d533c30129fe314 qt-designer-3.1.2-13.4.ia64.rpm d7ff6cb677ea02273909f44018a4de02 qt-devel-3.1.2-13.4.ia64.rpm c93acbc881f899cbd944f74c2710c1dd qt-MySQL-3.1.2-13.4.ia64.rpm 83f81146ad6ff84575f221104e109a10 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SRPMS: qt-2.3.1-10.src.rpm 3b684906082e180dddd38404dca633f4 ia64: qt-2.3.1-10.ia64.rpm 7a5212ecdd3bdfd6e7c22430cab707ca qt-designer-2.3.1-10.ia64.rpm 62890a5783dea02beb1bd19e2c2b9476 qt-devel-2.3.1-10.ia64.rpm 4dc9f6a9177f16561371b41701cc8ca3 qt-static-2.3.1-10.ia64.rpm f5bb921423a761d4412a45d8407960e9 qt-Xt-2.3.1-10.ia64.rpm 163badec57860c0751ee49a74a863197 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 128720 - CAN-2004-0691 BMP decoder heap overflow References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693 http://www.trolltech.com/developer/changes/changes-3.3.3.html [***** End Red Hat Security Advisory RHSA-2004:414-19 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-192: Red Hat Advisory: RHSA-2004:402-08 O-193: Linux Kernel Packages Updated O-194: GNOME VFS "extfs" Vulnerability O-195: Mozilla Updated Security Packages O-196: "glibc" Buffer Overflow Vulnerabilities O-197: Microsoft Exchange Server 5.5 Outlook Web Access Vulnerability O-198: Rsync Unsanitised Input Processing CIACTech04-002: Rootkit Backdoor Trigger Detection Strings O-199: Cisco IOS Malformed OSPF Packet Causes Reload O-200: Updated PAM Packages