(Conectiva Issues Fix) Qt Image File Buffer Overflows May Let Remote Users Execute Arbitrary Code or Crash the System
|
|
SecurityTracker Alert ID: 1011400 |
|
SecurityTracker URL: http://securitytracker.com/id/1011400
|
|
CVE Reference:
CAN-2004-0691, CAN-2004-0692, CAN-2004-0693
(Links to External Site)
|
Date: Sep 23 2004
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 3.3.2
|
Description:
Several vulnerabilities were reported in Qt. A remote user can create a specially crafted image file that, when viewed by the target user, will execute arbitrary code.
It is reported that Chris Evans discovered a heap-based buffer overflow in the Qt library in the processing of 8-bit RLE encoded BMP files. A remote user can create a specially crafted BMP file that, when viewed by the target user, will execute arbitrary code on the target user's system.
It is also reported that the handlers for XPM, GIF, and JPEG image types are also vulnerable.
[Editor's note: It appears that these flaws are related to the recently reported libpng vulnerabilities. However, we are issuing a separate alert because, according to Mandrake, separate CVE numbers have been issued.]
|
Impact:
A remote user may be able to cause an affected application to crash or execute arbitrary code. The specific impact depends on the application using Qt.
|
Solution:
Conectiva has released a fix.
ftp://atualizacoes.conectiva.com.br/10/SRPMS/qt3-3.2.3-55983U10_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-assistant-lib-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-database-plugin-mysql-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-database-plugin-odbc-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-database-plugin-pgsql-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-designer-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-designer-lib-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-devel-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-devel-static-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-doc-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-examples-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-linguist-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-tutorial-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/qt3-3.1.1-27866U90_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-assistant-lib-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-database-plugin-mysql-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-database-plugin-odbc-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-database-plugin-pgsql-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-designer-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-designer-lib-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-devel-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-devel-static-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-doc-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-examples-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-linguist-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-tutorial-3.1.1-27866U90_1cl.i386.rpm
Conectiva notes that it is important to restart all applications linked against libqt after the upgrade in order to close the vulnerabilities.
|
Vendor URL: www.trolltech.com/newsroom/announcements/00000174.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Conectiva)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 22 Sep 2004 11:01:41 -0300
Subject: [Conectiva-updates] [CLA-2004:866] Conectiva Security Announcement
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : qt3
SUMMARY : Fixes for image loader vulnerabilities
DATE : 2004-09-22 10:55:00
ID : CLA-2004:866
RELEVANT
RELEASES : 9, 10
- -------------------------------------------------------------------------
DESCRIPTION
QT[1] is a cross-platform GUI toolkit mostly used by KDE.
Chris Evans found[2] a heap overflow vulnerability[3] in the QT
library when handling 8-bit RLE encoded BMP files. An attacker could
use this to compromise the account used to view the specially crafted
image. Further investigations found similar vulnerabilities in
XPM[4], GIF[5] and JPEG image handlers.
SOLUTION
It is recommended that all qt users upgrade their packages.
IMPORTANT: all applications linked against libqt must be restarted
after the upgrade in order to close the vulnerabilities.
REFERENCES
1.http://www.qt.org
2.http://marc.theaimsgroup.com/?l=bugtraq&m=109295309008309&w=2
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/qt3-3.2.3-55983U10_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-assistant-lib-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-database-plugin-mysql-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-database-plugin-odbc-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-database-plugin-pgsql-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-designer-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-designer-lib-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-devel-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-devel-static-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-doc-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-examples-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-linguist-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/qt3-tutorial-3.2.3-55983U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/qt3-3.1.1-27866U90_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-assistant-lib-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-database-plugin-mysql-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-database-plugin-odbc-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-database-plugin-pgsql-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-designer-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-designer-lib-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-devel-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-devel-static-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-doc-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-examples-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-linguist-3.1.1-27866U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/qt3-tutorial-3.1.1-27866U90_1cl.i386.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions regarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFBUYXE42jd0JmAcZARAtUDAKC9TfO0xsyVxgjIwcuQk0a36iZpDwCfTqKb
+PK1D3jUXEGD3/BeF9LODks=
=CjCU
-----END PGP SIGNATURE-----
______________________________________________________________________
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
|
|
