Red Hat 9037 Published by

Fedora Legacy Update Advisory

Synopsis: Updated lesstif packages fix security issues
Advisory ID: FLSA:152803
Issue date: 2006-01-09
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-0687 CVE-2004-0688 CVE-2004-0914
CVE-2005-0605



---------------------------------------------------------------------
1. Topic:

Updated lesstif packages that fix flaws in the Xpm image library are
now available.

lesstif is a free replacement for OSF/Motif(R), which provides a full
set of widgets for application development.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

During a source code audit, Chris Evans and others discovered several
stack overflow flaws and an integer overflow flaw in the libXpm library
used to decode XPM (X PixMap) images. A vulnerable version of this
library was found within LessTif. An attacker could create a carefully
crafted XPM file which would cause an application to crash or
potentially execute arbitrary code if opened by a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to these issues.

An integer overflow flaw was found in libXpm; a vulnerable version of
this library is found within LessTif. An attacker could create a
malicious XPM file that would execute arbitrary code if opened by a
victim using an application linked to LessTif. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0605 to this issue.

Users of lesstif are advised to upgrade to these errata packages,
which contain backported security patches correcting these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152803
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135081

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/lesstif-0.93.18-2.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/lesstif-0.93.36-3.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/lesstif-0.93.36-3.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/lesstif-devel-0.93.36-3.3.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/lesstif-0.93.36-4.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/lesstif-0.93.36-4.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/lesstif-devel-0.93.36-4.3.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/lesstif-0.93.36-5.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/lesstif-0.93.36-5.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/lesstif-devel-0.93.36-5.3.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

83e9647ade78338b07abdb618f5d88b0ed12b46b
redhat/7.3/updates/i386/lesstif-0.93.18-2.3.legacy.i386.rpm
c9dcedad7c1576504e12340753b391181d613714
redhat/7.3/updates/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm
649a15edc64e3847238eb252be93db1583baa1cc
redhat/7.3/updates/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm

a4a8e6e888234cb0751800c181430db4c7b524e6
redhat/9/updates/i386/lesstif-0.93.36-3.3.legacy.i386.rpm
0804ad3304bf12be7f1ab71a463e980f4ea17975
redhat/9/updates/i386/lesstif-devel-0.93.36-3.3.legacy.i386.rpm
51459c1f41f08654e13b4f22bb76082ed04bbbde
redhat/9/updates/SRPMS/lesstif-0.93.36-3.3.legacy.src.rpm

9d8c60a5d5fd55081cd0e7f4ac9c349393c851c8
fedora/1/updates/i386/lesstif-0.93.36-4.3.legacy.i386.rpm
7453bc2247080a99da8cb3aba8adb768191fa30f
fedora/1/updates/i386/lesstif-devel-0.93.36-4.3.legacy.i386.rpm
0131e9cd6d912798c1ad0b45a0195fc9b3e6cfe3
fedora/1/updates/SRPMS/lesstif-0.93.36-4.3.legacy.src.rpm

00c8b8ed1cc28659d23e3a786ee12b0bfa1eb10d
fedora/2/updates/i386/lesstif-0.93.36-5.3.legacy.i386.rpm
051563d1c29930fc45f3184ff9abbcf92daf1b74
fedora/2/updates/i386/lesstif-devel-0.93.36-5.3.legacy.i386.rpm
2bb39e060197d2bed2f9e7448b9a6e68c72555f5
fedora/2/updates/SRPMS/lesstif-0.93.36-5.3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0688
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0914
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0605

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org