__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Updated "gd" Packages [Red Hat Advisory: RHSA-2004:638-13] December 17, 2004 19:00 GMT Number P-071 [REVISED 18 Jan 2005] [REVISED 26 May 2005] [REVISED 23 Jun 2005] [REVISED 2 Feb 2006] ______________________________________________________________________________ PROBLEM: The "gd" packages contain a graphics library used for the dynamic creation of images such as PNG and JPEG. Buffer overflows were found in various memory allocation calls. PLATFORM: Red Hat Enterprise AS, ES, and WS (all v.3) & (v. 4) Red Hat Enterprise AS, ES, and WS (all v.2.1) Red Hat Desktop (v.3) & (v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 3 for SGI Altix family of systems SGI ProPack 3 Service Pack 5 for SGI Altix family of systems DAMAGE: An attacker could execute arbitrary code. SOLUTION: Upgrade to Red Hat's latest packages. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. By creating a malicious image file, an ASSESSMENT: attacker could execute arbitrary code with the permissions of the targeted user. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-071.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-638.html ADDITIONAL LINKS: Also see CIAC BULLETIN P-033. SGI Security Advisory Number 20050101-01-U ftp://patches.sgi.com/support/free/security/advisories/20050101-01-U.asc SGI Security Advisory Number 20050602-01-U ftp://patches.sgi.com/support/free/security/advisories/20050602-01-U.asc Red Hat RHSA-2006:0194-4 https://rhn.redhat.com/errata/RHSA-2006-0194.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0941 CAN-2004-0990 ______________________________________________________________________________ REVISION HISTORY: 01/18/2005 - added link to updated packages for SGI ProPack 3 Service Pack 3 for SGI Altix family of systems, available in SGI Security Advisory Number 20050101-01-U. 05/26/2005 - revised to replace the Red Hat Bulletin, RHSA-2004:638-09 with a revised RHSA-2004:638-13. 06/23/2005 - added link to SGI Advanced Linux Environment security update #39, Number: 20050602-01-U that provides patches for SGI ProPack 3 Service Pack 5 for SGI Altix family of systems. 02/02/2006 - revised to include a link to Red Hat RHSA-2006:0194-4 for Red Hat Desktop (v. 4), Red Hat Enterprise AS, ES, WS (v. 4). [***** Start Red Hat Advisory: RHSA-2004:638-13 *****] Updated gd packages fix security issues Advisory: RHSA-2004:638-13 Type: Security Advisory Issued on: 2005-05-26 Last updated on: 2005-05-26 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2004-0941 CAN-2004-0990 Details Updated gd packages that fix security issues with overflow in various memory allocation calls are now available. [Updated 24 May 2005] Multilib packages have been added to this advisory The gd packages contain a graphics library used for the dynamic creation of images such as PNG and JPEG. Several buffer overflows were reported in various memory allocation calls. An attacker could create a carefully crafted image file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0990 to these issues. While researching the fixes to these overflows, additional buffer overflows were discovered in calls to gdMalloc. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0941 to these issues. Users of gd should upgrade to these updated packages, which contain a backported security patch, and are not vulnerable to these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Updated packages Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: gd-1.8.4-12.3.1.src.rpm 6a074a9b46c1c433fb6379ddd7ffa39c IA-32: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-devel-1.8.4-12.3.1.i386.rpm d5b6b426e2e06f02a3d0e5f3180cf33c gd-progs-1.8.4-12.3.1.i386.rpm a8f4b292b1ef66452790e4dd2648c7a2 x86_64: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-1.8.4-12.3.1.x86_64.rpm 7cbaf334f370e69a009cc3e173bd43b2 gd-devel-1.8.4-12.3.1.x86_64.rpm 6e28767d002c70958e5f1f38a5420d0a gd-progs-1.8.4-12.3.1.x86_64.rpm 003ce60cef5006f3c495aff9e767f4e2 Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: gd-1.8.4-4.21.1.src.rpm 0398a5a807dee5b9e50305be0e41c46f IA-32: gd-1.8.4-4.21.1.i386.rpm 32f90ee0ee49fbaa0e9d83c32d773d44 gd-devel-1.8.4-4.21.1.i386.rpm ba50f74a3c45ceb6c6994fd16dd97846 gd-progs-1.8.4-4.21.1.i386.rpm e6cd529cd117dc14073f011a7cf35631 IA-64: gd-1.8.4-4.21.1.ia64.rpm f3415f854fcc70689d9487386c5f5497 gd-devel-1.8.4-4.21.1.ia64.rpm 3db197bc13dfc65b6debfc4e14eed791 gd-progs-1.8.4-4.21.1.ia64.rpm a4f021b229c4b4d9710888b06fa0b57c Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: gd-1.8.4-12.3.1.src.rpm 6a074a9b46c1c433fb6379ddd7ffa39c IA-32: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-devel-1.8.4-12.3.1.i386.rpm d5b6b426e2e06f02a3d0e5f3180cf33c gd-progs-1.8.4-12.3.1.i386.rpm a8f4b292b1ef66452790e4dd2648c7a2 IA-64: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-1.8.4-12.3.1.ia64.rpm ca3b5794089578356666c672355ad71f gd-devel-1.8.4-12.3.1.ia64.rpm 839ca9fd43bd92ec9bcbd324954f71e5 gd-progs-1.8.4-12.3.1.ia64.rpm 7c0174f34dbe662e8852e1ffe25d8372 PPC: gd-1.8.4-12.3.1.ppc.rpm 11c259e294f22220dad62674e7a54210 gd-1.8.4-12.3.1.ppc64.rpm 14428761748a25bd003674b116def010 gd-devel-1.8.4-12.3.1.ppc.rpm 67456fab43a1b9d601c62a54a446be27 gd-progs-1.8.4-12.3.1.ppc.rpm 2f900edcde2c6771bd82ce414133717b s390: gd-1.8.4-12.3.1.s390.rpm 568eaf1ea4294befde060da07c4812c7 gd-devel-1.8.4-12.3.1.s390.rpm 4873cab38494fc574740b645d5673e33 gd-progs-1.8.4-12.3.1.s390.rpm 336923033fdc04176a0279d9127570a3 s390x: gd-1.8.4-12.3.1.s390.rpm 568eaf1ea4294befde060da07c4812c7 gd-1.8.4-12.3.1.s390x.rpm adc06b68372a7d7bf375bbd88867b9af gd-devel-1.8.4-12.3.1.s390x.rpm cd195ca8593ec6404d01c82be4db5c47 gd-progs-1.8.4-12.3.1.s390x.rpm 83f844555bdeb93f28c30e00fe2cf90d x86_64: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-1.8.4-12.3.1.x86_64.rpm 7cbaf334f370e69a009cc3e173bd43b2 gd-devel-1.8.4-12.3.1.x86_64.rpm 6e28767d002c70958e5f1f38a5420d0a gd-progs-1.8.4-12.3.1.x86_64.rpm 003ce60cef5006f3c495aff9e767f4e2 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: gd-1.8.4-4.21.1.src.rpm 0398a5a807dee5b9e50305be0e41c46f IA-32: gd-1.8.4-4.21.1.i386.rpm 32f90ee0ee49fbaa0e9d83c32d773d44 gd-devel-1.8.4-4.21.1.i386.rpm ba50f74a3c45ceb6c6994fd16dd97846 gd-progs-1.8.4-4.21.1.i386.rpm e6cd529cd117dc14073f011a7cf35631 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: gd-1.8.4-12.3.1.src.rpm 6a074a9b46c1c433fb6379ddd7ffa39c IA-32: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-devel-1.8.4-12.3.1.i386.rpm d5b6b426e2e06f02a3d0e5f3180cf33c gd-progs-1.8.4-12.3.1.i386.rpm a8f4b292b1ef66452790e4dd2648c7a2 IA-64: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-1.8.4-12.3.1.ia64.rpm ca3b5794089578356666c672355ad71f gd-devel-1.8.4-12.3.1.ia64.rpm 839ca9fd43bd92ec9bcbd324954f71e5 gd-progs-1.8.4-12.3.1.ia64.rpm 7c0174f34dbe662e8852e1ffe25d8372 x86_64: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-1.8.4-12.3.1.x86_64.rpm 7cbaf334f370e69a009cc3e173bd43b2 gd-devel-1.8.4-12.3.1.x86_64.rpm 6e28767d002c70958e5f1f38a5420d0a gd-progs-1.8.4-12.3.1.x86_64.rpm 003ce60cef5006f3c495aff9e767f4e2 Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: gd-1.8.4-4.21.1.src.rpm 0398a5a807dee5b9e50305be0e41c46f IA-32: gd-1.8.4-4.21.1.i386.rpm 32f90ee0ee49fbaa0e9d83c32d773d44 gd-devel-1.8.4-4.21.1.i386.rpm ba50f74a3c45ceb6c6994fd16dd97846 gd-progs-1.8.4-4.21.1.i386.rpm e6cd529cd117dc14073f011a7cf35631 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: gd-1.8.4-12.3.1.src.rpm 6a074a9b46c1c433fb6379ddd7ffa39c IA-32: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-devel-1.8.4-12.3.1.i386.rpm d5b6b426e2e06f02a3d0e5f3180cf33c gd-progs-1.8.4-12.3.1.i386.rpm a8f4b292b1ef66452790e4dd2648c7a2 IA-64: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-1.8.4-12.3.1.ia64.rpm ca3b5794089578356666c672355ad71f gd-devel-1.8.4-12.3.1.ia64.rpm 839ca9fd43bd92ec9bcbd324954f71e5 gd-progs-1.8.4-12.3.1.ia64.rpm 7c0174f34dbe662e8852e1ffe25d8372 x86_64: gd-1.8.4-12.3.1.i386.rpm 0277cba330cefb9ab1ebea7f15fa32c8 gd-1.8.4-12.3.1.x86_64.rpm 7cbaf334f370e69a009cc3e173bd43b2 gd-devel-1.8.4-12.3.1.x86_64.rpm 6e28767d002c70958e5f1f38a5420d0a gd-progs-1.8.4-12.3.1.x86_64.rpm 003ce60cef5006f3c495aff9e767f4e2 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: gd-1.8.4-4.21.1.src.rpm 0398a5a807dee5b9e50305be0e41c46f IA-64: gd-1.8.4-4.21.1.ia64.rpm f3415f854fcc70689d9487386c5f5497 gd-devel-1.8.4-4.21.1.ia64.rpm 3db197bc13dfc65b6debfc4e14eed791 gd-progs-1.8.4-4.21.1.ia64.rpm a4f021b229c4b4d9710888b06fa0b57c (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 137246 - CAN-2004-0990 integer overflow in PNG handling. 138808 - CAN-2004-0941 additional overflows in gd References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0941 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0990 Keywords buffer, gd, gdCalloc, gdMalloc, gdRealloc, overflow -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat Advisory: RHSA-2004:638-13 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-061: Ethereal Multiple Vulnerabilities P-062: Updated ncompress Package Fix Security Issue and Bug P-063: Adobe Reader Security Vulnerabilities P-064: Adobe Reader 5.0.9 for UNIX "mailListIsPdf" function Vulnerability P-065: Cisco Default Administrative Password in Cisco Guard and Traffic Anomaly Detector P-066: Veritas Backup Exec Buffer Overflow Vulnerability P-067: PHP Multiple Vulnerabilities P-068: Sun Webmail Vulnerability P-069: Sun - Multiple Mozilla Vulnerabilities P-070: Updated Samba Packages