__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Xloadimage Security Update [Red Hat RHSA-2005:802-4] October 20, 2005 17:00 GMT Number Q-028 [REVISED 31 Oct 2005] ______________________________________________________________________________ PROBLEM: A flaw was discovered in xloadimage which could cause a buffer overflow. PLATFORM: Red Hat Desktop (v. 3) & (v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1), (v. 3), (v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 6 for SGI Altix family of systems DAMAGE: An attacker can construct a NIFF image with a very long embedded image title. This image can cause a buffer overflow. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. An attacker can construct a NIFF image with a ASSESSMENT: very long embedded image title. This image can cause a buffer overflow. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-028.shtml ORIGINAL BULLETIN: Red Hat RHSA-2005:802-4 https://rhn.redhat.com/errata/RHSA-2005-802.html ADDITIONAL LINK: SGI Security Advisory Number 20051003-02-U ftp://patches.sgi.com/support/free/security/advisories/20051003-02-U.asc CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-3178 ______________________________________________________________________________ REVISION HISTORY: 10/31/2005 - added link to SGI Advanced Linux Environment 3 Security Update #50 (Number 20051003-02-U) that provides patches for this vulnerability. [***** Start Red Hat RHSA-2005:802-4 *****] Low: xloadimage security update Advisory: RHSA-2005:802-4 Type: Security Advisory Issued on: 2005-10-18 Last updated on: 2005-10-18 Affected Products: Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2005-3178 Details A new xloadimage package that fixes bugs in handling malformed tiff and pbm/pnm/ppm images, and in handling metacharacters in file names is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file. Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM). A flaw was discovered in xloadimage via which an attacker can construct a NIFF image with a very long embedded image title. This image can cause a buffer overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-3178 to this issue. All users of xloadimage should upgrade to this erratum package, which contains backported patches to correct these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Updated packages Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL3.src.rpm 895a319259026ab6e0055da88ff36ec4 IA-32: xloadimage-4.1-36.RHEL3.i386.rpm 1583103f2ffc69b306d7132e5efb07c7 x86_64: xloadimage-4.1-36.RHEL3.x86_64.rpm 0e83a7874cdde13a33c02316310b7a17 Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL4.src.rpm 5b5f66c4ef8c5da3034be168c1a6059f IA-32: xloadimage-4.1-36.RHEL4.i386.rpm a51440101c1cd09a0756b80ec693f315 x86_64: xloadimage-4.1-36.RHEL4.x86_64.rpm 915879a24a47ffb2f19f272ee7fdc698 Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL2.1.src.rpm f4bdaa4b58be68996b76cb459a3bd6cb IA-32: xloadimage-4.1-36.RHEL2.1.i386.rpm 033bde30356036eb2bb3a18f045e908c IA-64: xloadimage-4.1-36.RHEL2.1.ia64.rpm 24959bb056e6f8647c133790b785528d Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL3.src.rpm 895a319259026ab6e0055da88ff36ec4 IA-32: xloadimage-4.1-36.RHEL3.i386.rpm 1583103f2ffc69b306d7132e5efb07c7 IA-64: xloadimage-4.1-36.RHEL3.ia64.rpm ca43a806311d82f8bbb8cc6c4b29d17b PPC: xloadimage-4.1-36.RHEL3.ppc.rpm d217140299cc54a63b8bc726c4d377f5 s390: xloadimage-4.1-36.RHEL3.s390.rpm eddf36c9504ab03c885820e30708bce7 s390x: xloadimage-4.1-36.RHEL3.s390x.rpm e1809c5d715113f0ec8459281048f719 x86_64: xloadimage-4.1-36.RHEL3.x86_64.rpm 0e83a7874cdde13a33c02316310b7a17 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL4.src.rpm 5b5f66c4ef8c5da3034be168c1a6059f IA-32: xloadimage-4.1-36.RHEL4.i386.rpm a51440101c1cd09a0756b80ec693f315 IA-64: xloadimage-4.1-36.RHEL4.ia64.rpm b344364d5f9ff3e8f417c17ab88b2f20 PPC: xloadimage-4.1-36.RHEL4.ppc.rpm 5a4203df880864a802d937fbb0e226d7 s390: xloadimage-4.1-36.RHEL4.s390.rpm 7c41b2aaa82fb17d621795b4c17bfb32 s390x: xloadimage-4.1-36.RHEL4.s390x.rpm 25b3b931c2ce4f79d88981e7c81040f8 x86_64: xloadimage-4.1-36.RHEL4.x86_64.rpm 915879a24a47ffb2f19f272ee7fdc698 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL2.1.src.rpm f4bdaa4b58be68996b76cb459a3bd6cb IA-32: xloadimage-4.1-36.RHEL2.1.i386.rpm 033bde30356036eb2bb3a18f045e908c Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL3.src.rpm 895a319259026ab6e0055da88ff36ec4 IA-32: xloadimage-4.1-36.RHEL3.i386.rpm 1583103f2ffc69b306d7132e5efb07c7 IA-64: xloadimage-4.1-36.RHEL3.ia64.rpm ca43a806311d82f8bbb8cc6c4b29d17b x86_64: xloadimage-4.1-36.RHEL3.x86_64.rpm 0e83a7874cdde13a33c02316310b7a17 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL4.src.rpm 5b5f66c4ef8c5da3034be168c1a6059f IA-32: xloadimage-4.1-36.RHEL4.i386.rpm a51440101c1cd09a0756b80ec693f315 IA-64: xloadimage-4.1-36.RHEL4.ia64.rpm b344364d5f9ff3e8f417c17ab88b2f20 x86_64: xloadimage-4.1-36.RHEL4.x86_64.rpm 915879a24a47ffb2f19f272ee7fdc698 Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL2.1.src.rpm f4bdaa4b58be68996b76cb459a3bd6cb IA-32: xloadimage-4.1-36.RHEL2.1.i386.rpm 033bde30356036eb2bb3a18f045e908c Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL3.src.rpm 895a319259026ab6e0055da88ff36ec4 IA-32: xloadimage-4.1-36.RHEL3.i386.rpm 1583103f2ffc69b306d7132e5efb07c7 IA-64: xloadimage-4.1-36.RHEL3.ia64.rpm ca43a806311d82f8bbb8cc6c4b29d17b x86_64: xloadimage-4.1-36.RHEL3.x86_64.rpm 0e83a7874cdde13a33c02316310b7a17 Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL4.src.rpm 5b5f66c4ef8c5da3034be168c1a6059f IA-32: xloadimage-4.1-36.RHEL4.i386.rpm a51440101c1cd09a0756b80ec693f315 IA-64: xloadimage-4.1-36.RHEL4.ia64.rpm b344364d5f9ff3e8f417c17ab88b2f20 x86_64: xloadimage-4.1-36.RHEL4.x86_64.rpm 915879a24a47ffb2f19f272ee7fdc698 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: xloadimage-4.1-36.RHEL2.1.src.rpm f4bdaa4b58be68996b76cb459a3bd6cb IA-64: xloadimage-4.1-36.RHEL2.1.ia64.rpm 24959bb056e6f8647c133790b785528d (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 170150 - CAN-2005-3178 xloadimage NIFF buffer overflow References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3178 -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2005:802-4 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-018: VERITAS NetBackup Java User Interface Format String Vulnerability Q-019: Lynx Security Update Q-020: Multiple Security Vulnerabilities in Mozilla Q-021: Openldap and nss_ldap Security Update Q-022: Snort 2.4.3 Released Q-023: UW-IMAP Vulnerability Q-024: Oracle Critical Patch Update - October 2005 Q-025: HP OpenView Operations and OpenView Vantage Point Java Runtime Environment (JRE) Vulnerability Q-026: GDB Security Update Q-027: Netpbm Security Update