Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Mon, 18 Nov 2002 12:10:49 -0200
From: [email protected]
To: [email protected], [email protected],
Subject: [CLA-2002:548] Conectiva Linux Security Announcement - windowmaker

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : windowmaker
SUMMARY   : Integer buffer overflow vulnerability
DATE      : 2002-11-18 12:10:00
ID        : CLA-2002:548
RELEVANT
RELEASES  : 6.0, 7.0, 8

- -------------------------------------------------------------------------

DESCRIPTION
 Window Maker[1] is a very popular window manager.
 
 Al Viro reported a vulnerability[2] in a function that is used when
 Window Maker loads images. This function is used, for example, when a
 new background image is configured, and when previewing themes.
 
 This function calculates the ammount of memory necessary to load the
 image by doing a multiplication. It does not, however, check the
 result of this multiplication, which could suffer an integer overflow
 and not fit into the destination variable. Given a sufficiently large
 height and/or width parameter, a less than needed ammount of memory
 would be allocated, which would result in a buffer overflow later on
 when the image is actually loaded.
 
 A possible scenario for this vulnerability could be that of an
 attacker making a specially crafted image available and convincing an
 unsuspecting user to set it as a background image.


SOLUTION
 It is recommended that all Window Maker users upgrade their
 packages.
 
 IMPORTANT: if Window Maker is in use during the update, it will have
 to be restarted manually. This can be done via the "Exit -> Restart"
 menu.
 
 
 REFERENCES
 1. http://www.windowmaker.org/
 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1277


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/WindowMaker-0.62.1-13U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/WindowMaker-0.62.1-13U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/WindowMaker-devel-0.62.1-13U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/WindowMaker-0.65.1-2U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/WindowMaker-0.65.1-2U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/WindowMaker-devel-0.65.1-2U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/WindowMaker-devel-static-0.65.1-2U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/WindowMaker-doc-0.65.1-2U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/WindowMaker-0.80.0-3U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/WindowMaker-0.80.0-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/WindowMaker-devel-0.80.0-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/WindowMaker-devel-static-0.80.0-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/WindowMaker-doc-0.80.0-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/libwraster-2.2.0-13U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/libwraster-devel-2.2.0-13U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/libwraster-devel-static-2.2.0-13U80_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE92PTo42jd0JmAcZARAuaiAJ9fFjBSaM+nIbyEETz0owqzgv1jOQCgoO/M
JMwiprOgrWPFCrAODLMuUOA=
=vtFt
-----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: