__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN libungif Security Update [RHSA-2005:828-17] November 4, 2005 18:00 GMT Number Q-041 [REVISED 09 NOV 2005] [REVISED 29 Nov 2005] ______________________________________________________________________________ PROBLEM: Vulnerabilities were discovered in the libungif package, a shared library of functions for loading and saving GIF format image files. PLATFORM: Red Hat Desktop (v. 3, v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1, v. 3, v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 6 for SGI Altix family of systems DAMAGE: An attacker could create a carefully crafted GIF image file in such a way that it could cause an application linked with libungif to crash or execute arbitrary code when the file is opened by a victim. SOLUTION: Apply the available security updates. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Exploiting this vulnerability requires ASSESSMENT: persuading a victim to open a malicious GIF image using an application linked with libungif. If exploited, an attacker may be able to execute arbitrary code or cause a denial of service. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-041.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2005-828.html ADDITIONAL LINKS: http://www.debian.org/security/2005/dsa-890 SGI Security Advisory Update #51, Number 20051101-01-U ftp://patches.sgi.com/support/free/security/advisories/20051101-01-U.asc CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-2974, CVE-2005-3350 ______________________________________________________________________________ REVISION HISTORY: 11/09/05: added a link to DSA-890-1 11/29/05 - added a link SGI Advanced Linux Environment 3 Security Update #51 (#20051101-01-U) that provides Patch 10242 for SGI ProPack 3 Service Pack 6. [***** Start RHSA-2005:828-17 *****] Important: libungif security update Advisory: RHSA-2005:828-17 Type: Security Advisory Issued on: 2005-11-03 Last updated on: 2005-11-03 Affected Products: Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CVE-2005-2974 CVE-2005-3350 Details Updated libungif packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The libungif package contains a shared library of functions for loading and saving GIF format image files. Several bugs in the way libungif decodes GIF images were discovered. An attacker could create a carefully crafted GIF image file in such a way that it could cause an application linked with libungif to crash or execute arbitrary code when the file is opened by a victim. The Common Vulnerabilities and Exposures project has assigned the names CVE-2005-2974 and CVE-2005-3350 to these issues. All users of libungif are advised to upgrade to these updated packages, which contain backported patches that resolve these issues. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 3) SRPMS: libungif-4.1.0-15.el3.3.src.rpm da8a62137ee54bdd7db5f1d54981d5ff IA-32: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-devel-4.1.0-15.el3.3.i386.rpm 68ffa2a86da615dedf5a7ced4ff7baf3 x86_64: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-4.1.0-15.el3.3.x86_64.rpm 97a4db4e1b075d498b419e226e4985fb libungif-devel-4.1.0-15.el3.3.x86_64.rpm 748454935fb5a2d99cfe13ac510e39e4 Red Hat Desktop (v. 4) SRPMS: libungif-4.1.3-1.el4.2.src.rpm e241666690d657eeeaa5ead5b3bbfadd IA-32: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-devel-4.1.3-1.el4.2.i386.rpm 0c3fd8a9ef630b0c463c1023f887d811 libungif-progs-4.1.3-1.el4.2.i386.rpm 1bda7d495675421af2e528244dff8ed4 x86_64: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-4.1.3-1.el4.2.x86_64.rpm 8b86bf10b45e74a2da545ff9a4841c66 libungif-devel-4.1.3-1.el4.2.x86_64.rpm 43b1c3400e73db747c99a3cb8f78ad9c libungif-progs-4.1.3-1.el4.2.x86_64.rpm af5059a0c3ec86f9829002226ea8e9af Red Hat Enterprise Linux AS (v. 2.1) SRPMS: libungif-4.1.0-9.5.src.rpm e56ab6dbd063ad9f7ce270d469e91fa1 IA-32: libungif-4.1.0-9.5.i386.rpm 36acb8ed19d5c20d906a9508e8bf7305 libungif-devel-4.1.0-9.5.i386.rpm 3a154e3dcc9b7e938d90843bdfe4b450 libungif-progs-4.1.0-9.5.i386.rpm f27dd46b945755985280c26f22dee762 IA-64: libungif-4.1.0-9.5.ia64.rpm b318e8b61a7ffe25754095412317092e libungif-devel-4.1.0-9.5.ia64.rpm 84a95d616bd748c8a9f08cd795cbead1 libungif-progs-4.1.0-9.5.ia64.rpm 2f34606d66720b885a6f72d1bc51e9a7 Red Hat Enterprise Linux AS (v. 3) SRPMS: libungif-4.1.0-15.el3.3.src.rpm da8a62137ee54bdd7db5f1d54981d5ff IA-32: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-devel-4.1.0-15.el3.3.i386.rpm 68ffa2a86da615dedf5a7ced4ff7baf3 IA-64: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-4.1.0-15.el3.3.ia64.rpm 2d633b6c29a30b31f1d43a4a16904cf9 libungif-devel-4.1.0-15.el3.3.ia64.rpm 60774b099eced3d03b2fe545b329412b PPC: libungif-4.1.0-15.el3.3.ppc.rpm ceabdafb3ddbfd59ddcca8841a73b154 libungif-4.1.0-15.el3.3.ppc64.rpm 8889b6269d28035e829f74b253650282 libungif-devel-4.1.0-15.el3.3.ppc.rpm b2451ee8075934f12fed4546d0e0d432 s390: libungif-4.1.0-15.el3.3.s390.rpm d2ab90f1f5e711b715cb37a7f2bd8b69 libungif-devel-4.1.0-15.el3.3.s390.rpm 7a3a9d5dd30cbfe3f00abdb2170ab856 s390x: libungif-4.1.0-15.el3.3.s390.rpm d2ab90f1f5e711b715cb37a7f2bd8b69 libungif-4.1.0-15.el3.3.s390x.rpm b32cf8513df8dde6ed0196a6cdc808a3 libungif-devel-4.1.0-15.el3.3.s390x.rpm eac268049e3e0189aad33d8f9a7fba96 x86_64: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-4.1.0-15.el3.3.x86_64.rpm 97a4db4e1b075d498b419e226e4985fb libungif-devel-4.1.0-15.el3.3.x86_64.rpm 748454935fb5a2d99cfe13ac510e39e4 Red Hat Enterprise Linux AS (v. 4) SRPMS: libungif-4.1.3-1.el4.2.src.rpm e241666690d657eeeaa5ead5b3bbfadd IA-32: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-devel-4.1.3-1.el4.2.i386.rpm 0c3fd8a9ef630b0c463c1023f887d811 libungif-progs-4.1.3-1.el4.2.i386.rpm 1bda7d495675421af2e528244dff8ed4 IA-64: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-4.1.3-1.el4.2.ia64.rpm aea54ec43692c8cff548e80dc816f404 libungif-devel-4.1.3-1.el4.2.ia64.rpm 86c0a610b5294c673c075d6b345009c1 libungif-progs-4.1.3-1.el4.2.ia64.rpm 123867a704cdcbab79c5c9ba581e4c06 PPC: libungif-4.1.3-1.el4.2.ppc.rpm 5a6f7b590f2bfbd183704df45df12693 libungif-4.1.3-1.el4.2.ppc64.rpm 893a3232c0eba8f05ebcdc312c127569 libungif-devel-4.1.3-1.el4.2.ppc.rpm eaf656fe93aafcfb1dbea1a3e96b8d0e libungif-progs-4.1.3-1.el4.2.ppc.rpm b887c1101a8a2eb77ae1870663b0104b s390: libungif-4.1.3-1.el4.2.s390.rpm d9e60023f796e9592c8ad6769994396a libungif-devel-4.1.3-1.el4.2.s390.rpm 85be309902a46d69331ed7cfbbbf77ac libungif-progs-4.1.3-1.el4.2.s390.rpm 36c47021928a75b4f01cfff9ee70933a s390x: libungif-4.1.3-1.el4.2.s390.rpm d9e60023f796e9592c8ad6769994396a libungif-4.1.3-1.el4.2.s390x.rpm 174dbd3ff4ece6690f58e7141cead9a6 libungif-devel-4.1.3-1.el4.2.s390x.rpm f8206bece19a3880051bc6afea0bb16f libungif-progs-4.1.3-1.el4.2.s390x.rpm 4cb4dea2bece5ec618b9e81ac205c984 x86_64: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-4.1.3-1.el4.2.x86_64.rpm 8b86bf10b45e74a2da545ff9a4841c66 libungif-devel-4.1.3-1.el4.2.x86_64.rpm 43b1c3400e73db747c99a3cb8f78ad9c libungif-progs-4.1.3-1.el4.2.x86_64.rpm af5059a0c3ec86f9829002226ea8e9af Red Hat Enterprise Linux ES (v. 2.1) SRPMS: libungif-4.1.0-9.5.src.rpm e56ab6dbd063ad9f7ce270d469e91fa1 IA-32: libungif-4.1.0-9.5.i386.rpm 36acb8ed19d5c20d906a9508e8bf7305 libungif-devel-4.1.0-9.5.i386.rpm 3a154e3dcc9b7e938d90843bdfe4b450 libungif-progs-4.1.0-9.5.i386.rpm f27dd46b945755985280c26f22dee762 Red Hat Enterprise Linux ES (v. 3) SRPMS: libungif-4.1.0-15.el3.3.src.rpm da8a62137ee54bdd7db5f1d54981d5ff IA-32: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-devel-4.1.0-15.el3.3.i386.rpm 68ffa2a86da615dedf5a7ced4ff7baf3 IA-64: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-4.1.0-15.el3.3.ia64.rpm 2d633b6c29a30b31f1d43a4a16904cf9 libungif-devel-4.1.0-15.el3.3.ia64.rpm 60774b099eced3d03b2fe545b329412b x86_64: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-4.1.0-15.el3.3.x86_64.rpm 97a4db4e1b075d498b419e226e4985fb libungif-devel-4.1.0-15.el3.3.x86_64.rpm 748454935fb5a2d99cfe13ac510e39e4 Red Hat Enterprise Linux ES (v. 4) SRPMS: libungif-4.1.3-1.el4.2.src.rpm e241666690d657eeeaa5ead5b3bbfadd IA-32: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-devel-4.1.3-1.el4.2.i386.rpm 0c3fd8a9ef630b0c463c1023f887d811 libungif-progs-4.1.3-1.el4.2.i386.rpm 1bda7d495675421af2e528244dff8ed4 IA-64: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-4.1.3-1.el4.2.ia64.rpm aea54ec43692c8cff548e80dc816f404 libungif-devel-4.1.3-1.el4.2.ia64.rpm 86c0a610b5294c673c075d6b345009c1 libungif-progs-4.1.3-1.el4.2.ia64.rpm 123867a704cdcbab79c5c9ba581e4c06 x86_64: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-4.1.3-1.el4.2.x86_64.rpm 8b86bf10b45e74a2da545ff9a4841c66 libungif-devel-4.1.3-1.el4.2.x86_64.rpm 43b1c3400e73db747c99a3cb8f78ad9c libungif-progs-4.1.3-1.el4.2.x86_64.rpm af5059a0c3ec86f9829002226ea8e9af Red Hat Enterprise Linux WS (v. 2.1) SRPMS: libungif-4.1.0-9.5.src.rpm e56ab6dbd063ad9f7ce270d469e91fa1 IA-32: libungif-4.1.0-9.5.i386.rpm 36acb8ed19d5c20d906a9508e8bf7305 libungif-devel-4.1.0-9.5.i386.rpm 3a154e3dcc9b7e938d90843bdfe4b450 libungif-progs-4.1.0-9.5.i386.rpm f27dd46b945755985280c26f22dee762 Red Hat Enterprise Linux WS (v. 3) SRPMS: libungif-4.1.0-15.el3.3.src.rpm da8a62137ee54bdd7db5f1d54981d5ff IA-32: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-devel-4.1.0-15.el3.3.i386.rpm 68ffa2a86da615dedf5a7ced4ff7baf3 IA-64: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-4.1.0-15.el3.3.ia64.rpm 2d633b6c29a30b31f1d43a4a16904cf9 libungif-devel-4.1.0-15.el3.3.ia64.rpm 60774b099eced3d03b2fe545b329412b x86_64: libungif-4.1.0-15.el3.3.i386.rpm 164b768be58ab848de11b807e2965b09 libungif-4.1.0-15.el3.3.x86_64.rpm 97a4db4e1b075d498b419e226e4985fb libungif-devel-4.1.0-15.el3.3.x86_64.rpm 748454935fb5a2d99cfe13ac510e39e4 Red Hat Enterprise Linux WS (v. 4) SRPMS: libungif-4.1.3-1.el4.2.src.rpm e241666690d657eeeaa5ead5b3bbfadd IA-32: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-devel-4.1.3-1.el4.2.i386.rpm 0c3fd8a9ef630b0c463c1023f887d811 libungif-progs-4.1.3-1.el4.2.i386.rpm 1bda7d495675421af2e528244dff8ed4 IA-64: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-4.1.3-1.el4.2.ia64.rpm aea54ec43692c8cff548e80dc816f404 libungif-devel-4.1.3-1.el4.2.ia64.rpm 86c0a610b5294c673c075d6b345009c1 libungif-progs-4.1.3-1.el4.2.ia64.rpm 123867a704cdcbab79c5c9ba581e4c06 x86_64: libungif-4.1.3-1.el4.2.i386.rpm 0f0bbddea36d3b7a54c4549c10486ed1 libungif-4.1.3-1.el4.2.x86_64.rpm 8b86bf10b45e74a2da545ff9a4841c66 libungif-devel-4.1.3-1.el4.2.x86_64.rpm 43b1c3400e73db747c99a3cb8f78ad9c libungif-progs-4.1.3-1.el4.2.x86_64.rpm af5059a0c3ec86f9829002226ea8e9af Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SRPMS: libungif-4.1.0-9.5.src.rpm e56ab6dbd063ad9f7ce270d469e91fa1 IA-64: libungif-4.1.0-9.5.ia64.rpm b318e8b61a7ffe25754095412317092e libungif-devel-4.1.0-9.5.ia64.rpm 84a95d616bd748c8a9f08cd795cbead1 libungif-progs-4.1.0-9.5.ia64.rpm 2f34606d66720b885a6f72d1bc51e9a7 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 171413 - CVE-2005-2974 Several libungif issues (CVE-2005-3350) References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3350 These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End RHSA-2005:828-17 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-031: Eric Q-032: Sudo Q-033: Libgda2 Q-034: Red Hat Kernel Security Update Q-035: PAM Security Update Q-036: Solaris Management Console Enables TRACE HTTP by Default Q-037: Apple OS X 10.4.3 Security Update Q-038: Cisco IOS Heap-based Overflow Vulnerability in System Timers Q-039: libcurl Vulnerability Q-040: phpMyAdmin Cross Site Scripting Vulnerabilities