[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] SCOSA-2006.8 OpenServer 5.0.6 OpenServer 5.0.7 OpenServer 6.0.0 :GTK+ gdk-pixbufXPM Loader Heap Overflow Vulnerability
- To: security-announce@xxxxxxxxxxxx
- Subject: [Full-disclosure] SCOSA-2006.8 OpenServer 5.0.6 OpenServer 5.0.7 OpenServer 6.0.0 :GTK+ gdk-pixbufXPM Loader Heap Overflow Vulnerability
- From: security@xxxxxxx
- Date: Fri, 13 Jan 2006 11:00:24 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.6 OpenServer 5.0.7 OpenServer 6.0.0 :
GTK+ gdk-pixbuf XPM Loader Heap Overflow Vulnerability
Advisory number: SCOSA-2006.8
Issue date: 2006 January 13
Cross reference: fz533256
CVE-2005-3186
______________________________________________________________________________
1. Problem Description
Integer overflow in the GTK+ gdk-pixbuf XPM image rendering
library in GTK+ allows attackers to execute arbitrary code via
an XPM file with a number of colors that causes insufficient
memory to be allocated, which leads to a heap-based buffer
overflow.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-3186 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.6 /usr/lib/gtk-2.0/2.4.0/loaders/libpixbufloader_xpm.so
OpenServer 5.0.7 /usr/lib/gtk-2.0/2.4.0/loaders/libpixbufloader_xpm.so
OpenServer 6.0.0
/osr5/usr/lib/gtk-2.0/2.4.0/loaders/libpixbufloader_xpm.so
/usr/lib/gtk-2.0/2.4.0/loaders/libpixbufloader_xpm.so
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.6
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.8
4.2 Verification
MD5 (p533256.507_vol.tar) = e61c97d16e43e72f7b00a3892756e805
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
The following packages should be installed on your system before
you install this fix:
OSS646C:
ftp://ftp.sco.com/pub/openserver5/oss646c/
GWXLIBS version 2.1.0:
ftp://ftp.sco.com/pub/openserver5/opensrc/gwxlibs-2.1.0Ba/
Upgrade the affected binaries with the following sequence:
1) Download p533256.507_vol.tar file to a directory.
2) Extract VOL* files.
# tar xvf p533256.507_vol.tar
3) Run the custom command, specify an install from media images,
and specify the directory as the location of the images.
5. OpenServer 5.0.7
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.8
5.2 Verification
MD5 (p533256.507_vol.tar) = e61c97d16e43e72f7b00a3892756e805
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
The following package should be installed on your system before
you install this fix:
osr507mp4:
http://www.sco.com/support/update/download/release.php?rid=116
Upgrade the affected binaries with the following sequence:
1) Download p533256.507_vol.tar file to a directory.
2) Extract VOL* files.
# tar xvf p533256.507_vol.tar
3) Run the custom command, specify an install from media images,
and specify the directory as the location of the images.
6. OpenServer 6.0.0
6.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.8
6.2 Verification
MD5 (p533256.600_vol.tar) = ff1837fba28127fb647fd07cec2b9abf
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
6.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download p533256.600_vol.tar file to a directory.
2) Extract VOL* files.
# tar xvf p533256.600_vol.tar
3) Run the custom command, specify an install from media images,
and specify the directory as the location of the images.
7. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3186
http://secunia.com/advisories/17522
http://securitytracker.com/id?1015216
http://www.frsirt.com/english/advisories/2005/2433
http://www.idefense.com/application/poi/display?id=339&type=vulnerabilities
http://www.securityfocus.com/bid/15435
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents fz533256.
8. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)
iD8DBQFDx8qFaqoBO7ipriERAttIAJ4o2SJQ0ClPFSUt64h6qQjtWXSP8gCeL8p0
/sS0YV9ygYVzTRveExSI4uc=
=xIHD
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/