Red Hat 9038 Published by

Fedora Legacy Update Advisory

Synopsis: Updated libungif packages fix security issues
Advisory ID: FLSA:174479
Issue date: 2006-03-16
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2974 CVE-2005-3350
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

Updated libungif packages that fix two security issues are now
available.

The libungif package contains a shared library of functions for loading
and saving GIF format image files.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Several bugs in the way libungif decodes GIF images were discovered. An
attacker could create a carefully crafted GIF image file in such a way
that it could cause an application linked with libungif to crash or
execute arbitrary code when the file is opened by a victim. The Common
Vulnerabilities and Exposures project has assigned the names
CVE-2005-2974 and CVE-2005-3350 to these issues.

All users of libungif are advised to upgrade to these updated packages,
which contain backported patches that resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174479

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/libungif-4.1.0-10.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libungif-4.1.0-10.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libungif-devel-4.1.0-10.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libungif-progs-4.1.0-10.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/libungif-4.1.0-15.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/libungif-4.1.0-15.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/libungif-devel-4.1.0-15.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/libungif-progs-4.1.0-15.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/libungif-4.1.0-16.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/libungif-4.1.0-16.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/libungif-devel-4.1.0-16.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/libungif-progs-4.1.0-16.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/libungif-4.1.0-17.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/libungif-4.1.0-17.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/libungif-devel-4.1.0-17.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/libungif-progs-4.1.0-17.3.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

540bf946dff308b065de73d7ce6ab9eb8d8c504a
redhat/7.3/updates/i386/libungif-4.1.0-10.2.legacy.i386.rpm
840791ef661042f779275b7c835760ab521a8d80
redhat/7.3/updates/i386/libungif-devel-4.1.0-10.2.legacy.i386.rpm
81f2ed8f2bae2785ec2820234875b870f583c7ce
redhat/7.3/updates/i386/libungif-progs-4.1.0-10.2.legacy.i386.rpm
8e039159be2bf479bf2bdb84ebadc2a364b3bd06
redhat/7.3/updates/SRPMS/libungif-4.1.0-10.2.legacy.src.rpm

c78cfe7b9a7e46d45865fcebad0956efb8962970
redhat/9/updates/i386/libungif-4.1.0-15.2.legacy.i386.rpm
1b8a2ff811fca4b56850adfc5fc602bd140876d8
redhat/9/updates/i386/libungif-devel-4.1.0-15.2.legacy.i386.rpm
35f6365684cec0da676b5c5fea9bdf2e9863d1ff
redhat/9/updates/i386/libungif-progs-4.1.0-15.2.legacy.i386.rpm
cb023ca008db9d81ad6d730cb714cb1f51ea97f3
redhat/9/updates/SRPMS/libungif-4.1.0-15.2.legacy.src.rpm

351c84419dfff38690db6f343fa91a41e6b2af1e
fedora/1/updates/i386/libungif-4.1.0-16.2.legacy.i386.rpm
72af8bc46a9deb31ede1fc773866e67f20f0da0b
fedora/1/updates/i386/libungif-devel-4.1.0-16.2.legacy.i386.rpm
3d36816c8ec4479647419402be97568fade3088e
fedora/1/updates/i386/libungif-progs-4.1.0-16.2.legacy.i386.rpm
92a4859d10e58f5abc85e7e22c89e4cf4911fbf0
fedora/1/updates/SRPMS/libungif-4.1.0-16.2.legacy.src.rpm

3a87b57220b6b788150d240977774dc54f6732fe
fedora/2/updates/i386/libungif-4.1.0-17.3.legacy.i386.rpm
c2d7e51e31ecb48546712d0c6f9998601af6daec
fedora/2/updates/i386/libungif-devel-4.1.0-17.3.legacy.i386.rpm
fbde1aceba27f12aacb41c8acbe2cf58a59cc121
fedora/2/updates/i386/libungif-progs-4.1.0-17.3.legacy.i386.rpm
609e3081132c7dca0da32f631e5ec4117df51265
fedora/2/updates/SRPMS/libungif-4.1.0-17.3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3350

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org