Red Hat 9042 Published by

Updated qt packages are available for Red Hat Enterprise Linux

----------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Updated qt packages fix security issues
Advisory ID: RHSA-2004:414-01
Issue date: 2004-08-20
Updated on: 2004-08-20
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
----------------------------------------------------------------------

1. Summary:

Updated qt packages that fix security issues in several of the image decoders are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64



3. Problem description:

Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System.

During a security audit, Chris Evans discovered a heap overflow in the BMP image decoder in Qt versions prior to 3.3.3. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with Qt to crash or possibly execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0691 to this issue.

Additionally, various flaws were discovered in the GIF, XPM, and JPEG decoders in Qt versions prior to 3.3.3. An attacker could create carefully crafted image files in such a way that it could cause an application linked against Qt to crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0692 and CAN-2004-0693 to these issues.

Users of Qt should update to these updated packages which contain backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

128720 - CAN-2004-0691 BMP decoder heap overflow

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/qt-2.3.1-10.src.rpm
3b684906082e180dddd38404dca633f4 qt-2.3.1-10.src.rpm

i386:
4abae89892524349c1413e9edfe1c580 qt-2.3.1-10.i386.rpm
f8a7bc552d89a93c8de95d31bbf3fb6c qt-Xt-2.3.1-10.i386.rpm
ba3283b0ecab676ca709746c7b9aad17 qt-designer-2.3.1-10.i386.rpm
f9542947d96f0a40694026bddc6088b3 qt-devel-2.3.1-10.i386.rpm
08a3108d33c0391926515c8831e80e32 qt-static-2.3.1-10.i386.rpm

ia64:
7a5212ecdd3bdfd6e7c22430cab707ca qt-2.3.1-10.ia64.rpm
163badec57860c0751ee49a74a863197 qt-Xt-2.3.1-10.ia64.rpm
62890a5783dea02beb1bd19e2c2b9476 qt-designer-2.3.1-10.ia64.rpm
4dc9f6a9177f16561371b41701cc8ca3 qt-devel-2.3.1-10.ia64.rpm
f5bb921423a761d4412a45d8407960e9 qt-static-2.3.1-10.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/qt-2.3.1-10.src.rpm
3b684906082e180dddd38404dca633f4 qt-2.3.1-10.src.rpm

ia64:
7a5212ecdd3bdfd6e7c22430cab707ca qt-2.3.1-10.ia64.rpm
163badec57860c0751ee49a74a863197 qt-Xt-2.3.1-10.ia64.rpm
62890a5783dea02beb1bd19e2c2b9476 qt-designer-2.3.1-10.ia64.rpm
4dc9f6a9177f16561371b41701cc8ca3 qt-devel-2.3.1-10.ia64.rpm
f5bb921423a761d4412a45d8407960e9 qt-static-2.3.1-10.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/qt-2.3.1-10.src.rpm
3b684906082e180dddd38404dca633f4 qt-2.3.1-10.src.rpm

i386:
4abae89892524349c1413e9edfe1c580 qt-2.3.1-10.i386.rpm
f8a7bc552d89a93c8de95d31bbf3fb6c qt-Xt-2.3.1-10.i386.rpm
ba3283b0ecab676ca709746c7b9aad17 qt-designer-2.3.1-10.i386.rpm
f9542947d96f0a40694026bddc6088b3 qt-devel-2.3.1-10.i386.rpm
08a3108d33c0391926515c8831e80e32 qt-static-2.3.1-10.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/qt-2.3.1-10.src.rpm
3b684906082e180dddd38404dca633f4 qt-2.3.1-10.src.rpm

i386:
4abae89892524349c1413e9edfe1c580 qt-2.3.1-10.i386.rpm
f8a7bc552d89a93c8de95d31bbf3fb6c qt-Xt-2.3.1-10.i386.rpm
ba3283b0ecab676ca709746c7b9aad17 qt-designer-2.3.1-10.i386.rpm
f9542947d96f0a40694026bddc6088b3 qt-devel-2.3.1-10.i386.rpm
08a3108d33c0391926515c8831e80e32 qt-static-2.3.1-10.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/qt-3.1.2-13.4.src.rpm
f798532e2259e3027eb64a86f471c989 qt-3.1.2-13.4.src.rpm

i386:
171e31325a6974fe6b3161b0dd935e05 qt-3.1.2-13.4.i386.rpm
53450013bb108936c88d7a68797400b5 qt-MySQL-3.1.2-13.4.i386.rpm
c5372ac10529b611504c48fd1876d32a qt-config-3.1.2-13.4.i386.rpm
dde05008907a4402aeec64bd1fef25d8 qt-designer-3.1.2-13.4.i386.rpm
7e9621c8793aeece8c6697a301fdaf85 qt-devel-3.1.2-13.4.i386.rpm

ia64:
0162f98d41303ed47435fd634a49aa16 qt-3.1.2-13.4.ia64.rpm
83f81146ad6ff84575f221104e109a10 qt-MySQL-3.1.2-13.4.ia64.rpm
0b81a3f2c8ab00775d533c30129fe314 qt-config-3.1.2-13.4.ia64.rpm
d7ff6cb677ea02273909f44018a4de02 qt-designer-3.1.2-13.4.ia64.rpm
c93acbc881f899cbd944f74c2710c1dd qt-devel-3.1.2-13.4.ia64.rpm

ppc:
342ed7861c4723143f22841155837163 qt-3.1.2-13.4.ppc.rpm
f95779e3c785a8ca620b795a50c3a2b7 qt-MySQL-3.1.2-13.4.ppc.rpm
d89c0631d249d3596cb0b7f3715d8c71 qt-config-3.1.2-13.4.ppc.rpm
b5c58797337ec1c953a127d145241d70 qt-designer-3.1.2-13.4.ppc.rpm
4138557b0f597ede980c64e4e74debd3 qt-devel-3.1.2-13.4.ppc.rpm

s390:
57951d45d98f46fe6f2326b16f23ea1b qt-3.1.2-13.4.s390.rpm
98b7677e8b7fa4d84583cfe8e92a91f4 qt-MySQL-3.1.2-13.4.s390.rpm
b9f50cd8f014e9e39249dbfbe17b1398 qt-config-3.1.2-13.4.s390.rpm
2c140a0776e2ce98c273b7e628d86d23 qt-designer-3.1.2-13.4.s390.rpm
5e23428d4621c10ca60bf29d7d2a6ed7 qt-devel-3.1.2-13.4.s390.rpm

s390x:
8f95df939142d43f0078f5a770850bb2 qt-3.1.2-13.4.s390x.rpm
5cc08910b564eed93b3f78c05261a176 qt-MySQL-3.1.2-13.4.s390x.rpm
73c6e602b9a45864a82d16314deba9c0 qt-config-3.1.2-13.4.s390x.rpm
eae10bfa4b34cfbfd29f09e4d7368728 qt-designer-3.1.2-13.4.s390x.rpm
fff3b6f404743fa76b5ba21f3a18e20d qt-devel-3.1.2-13.4.s390x.rpm

x86_64:
24fbbe3a8cc3a9636e64cbecb62c52c1 qt-3.1.2-13.4.x86_64.rpm
b4ca1ae5a331c4d30d75d2dcd1e53280 qt-MySQL-3.1.2-13.4.x86_64.rpm
a684d66936b37ed87281ce2f8a49448b qt-config-3.1.2-13.4.x86_64.rpm
d945dc65e4120b87f0fa6c0a77c129ee qt-designer-3.1.2-13.4.x86_64.rpm
814f662f0561c1dc07cb60a287487494 qt-devel-3.1.2-13.4.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/qt-3.1.2-13.4.src.rpm
f798532e2259e3027eb64a86f471c989 qt-3.1.2-13.4.src.rpm

i386:
171e31325a6974fe6b3161b0dd935e05 qt-3.1.2-13.4.i386.rpm
53450013bb108936c88d7a68797400b5 qt-MySQL-3.1.2-13.4.i386.rpm
c5372ac10529b611504c48fd1876d32a qt-config-3.1.2-13.4.i386.rpm
dde05008907a4402aeec64bd1fef25d8 qt-designer-3.1.2-13.4.i386.rpm
7e9621c8793aeece8c6697a301fdaf85 qt-devel-3.1.2-13.4.i386.rpm

x86_64:
24fbbe3a8cc3a9636e64cbecb62c52c1 qt-3.1.2-13.4.x86_64.rpm
b4ca1ae5a331c4d30d75d2dcd1e53280 qt-MySQL-3.1.2-13.4.x86_64.rpm
a684d66936b37ed87281ce2f8a49448b qt-config-3.1.2-13.4.x86_64.rpm
d945dc65e4120b87f0fa6c0a77c129ee qt-designer-3.1.2-13.4.x86_64.rpm
814f662f0561c1dc07cb60a287487494 qt-devel-3.1.2-13.4.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/qt-3.1.2-13.4.src.rpm
f798532e2259e3027eb64a86f471c989 qt-3.1.2-13.4.src.rpm

i386:
171e31325a6974fe6b3161b0dd935e05 qt-3.1.2-13.4.i386.rpm
53450013bb108936c88d7a68797400b5 qt-MySQL-3.1.2-13.4.i386.rpm
c5372ac10529b611504c48fd1876d32a qt-config-3.1.2-13.4.i386.rpm
dde05008907a4402aeec64bd1fef25d8 qt-designer-3.1.2-13.4.i386.rpm
7e9621c8793aeece8c6697a301fdaf85 qt-devel-3.1.2-13.4.i386.rpm

ia64:
0162f98d41303ed47435fd634a49aa16 qt-3.1.2-13.4.ia64.rpm
83f81146ad6ff84575f221104e109a10 qt-MySQL-3.1.2-13.4.ia64.rpm
0b81a3f2c8ab00775d533c30129fe314 qt-config-3.1.2-13.4.ia64.rpm
d7ff6cb677ea02273909f44018a4de02 qt-designer-3.1.2-13.4.ia64.rpm
c93acbc881f899cbd944f74c2710c1dd qt-devel-3.1.2-13.4.ia64.rpm

x86_64:
24fbbe3a8cc3a9636e64cbecb62c52c1 qt-3.1.2-13.4.x86_64.rpm
b4ca1ae5a331c4d30d75d2dcd1e53280 qt-MySQL-3.1.2-13.4.x86_64.rpm
a684d66936b37ed87281ce2f8a49448b qt-config-3.1.2-13.4.x86_64.rpm
d945dc65e4120b87f0fa6c0a77c129ee qt-designer-3.1.2-13.4.x86_64.rpm
814f662f0561c1dc07cb60a287487494 qt-devel-3.1.2-13.4.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/qt-3.1.2-13.4.src.rpm
f798532e2259e3027eb64a86f471c989 qt-3.1.2-13.4.src.rpm

i386:
171e31325a6974fe6b3161b0dd935e05 qt-3.1.2-13.4.i386.rpm
53450013bb108936c88d7a68797400b5 qt-MySQL-3.1.2-13.4.i386.rpm
c5372ac10529b611504c48fd1876d32a qt-config-3.1.2-13.4.i386.rpm
dde05008907a4402aeec64bd1fef25d8 qt-designer-3.1.2-13.4.i386.rpm
7e9621c8793aeece8c6697a301fdaf85 qt-devel-3.1.2-13.4.i386.rpm

ia64:
0162f98d41303ed47435fd634a49aa16 qt-3.1.2-13.4.ia64.rpm
83f81146ad6ff84575f221104e109a10 qt-MySQL-3.1.2-13.4.ia64.rpm
0b81a3f2c8ab00775d533c30129fe314 qt-config-3.1.2-13.4.ia64.rpm
d7ff6cb677ea02273909f44018a4de02 qt-designer-3.1.2-13.4.ia64.rpm
c93acbc881f899cbd944f74c2710c1dd qt-devel-3.1.2-13.4.ia64.rpm

x86_64:
24fbbe3a8cc3a9636e64cbecb62c52c1 qt-3.1.2-13.4.x86_64.rpm
b4ca1ae5a331c4d30d75d2dcd1e53280 qt-MySQL-3.1.2-13.4.x86_64.rpm
a684d66936b37ed87281ce2f8a49448b qt-config-3.1.2-13.4.x86_64.rpm
d945dc65e4120b87f0fa6c0a77c129ee qt-designer-3.1.2-13.4.x86_64.rpm
814f662f0561c1dc07cb60a287487494 qt-devel-3.1.2-13.4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package

7. References:

http://www.trolltech.com/developer/changes/changes-3.3.3.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693

8. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.