Netzwerk Sicherheits Prüfungen / Anfälligkeitsfeststellung von SecuritySpace

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Synopsis:          Updated NetPBM packages fix multiple vulnerabilities
Advisory ID:       RHSA-2003:061-01
Issue date:        2003-03-31
Updated on:        2003-03-31
Product:           Red Hat Enterprise Linux
Keywords:=20=20=20=20=20=20=20=20=20=20
Cross references:  RHSA-2002:048 RHSA-2002:059
Obsoletes:=20=20=20=20=20=20=20=20=20
CVE Names:         CAN-2003-0146
---------------------------------------------------------------------

1. Topic:

Updated NetPBM packages are available that fix a number of vulnerabilities
in the netpbm libraries.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386

3. Problem description:

The netpbm package contains a library of functions that support
programs for handling various graphics file formats, including .pbm
(portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps),
.ppm (portable pixmaps), and others.

During an audit of the NetPBM library, Al Viro, Alan Cox, and Sebastian
Krahmer found a number of bugs that are potentially exploitable.  These
bugs could be exploited by creating a carefully crafted image in such a way
that it executes arbitrary code when it is processed by either an
application from the netpbm-progs package or an application that uses the
vulnerable netpbm library.

One way that an attacker could exploit these vulnerabilities would be to=20
submit a carefully crafted image to be printed, as the LPRng print spooler
used by default in Red Hat Linux Advanced Products releases uses netpbm
utilities to parse various types of image files.

Users are advised to upgrade to the updated packages, which contain patches
that correct these vulnerabilities.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

Please note that this update is available via Red Hat Network.  To use Red
Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

84586 - Multiple vulnerabilities in netpbm

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/netpbm-9.24-9.AS21.2.=
src.rpm

i386:
Available from Red Hat Network: netpbm-9.24-9.AS21.2.i386.rpm
Available from Red Hat Network: netpbm-progs-9.24-9.AS21.2.i386.rpm
Available from Red Hat Network: netpbm-devel-9.24-9.AS21.2.i386.rpm

ia64:
Available from Red Hat Network: netpbm-9.24-9.AS21.2.ia64.rpm
Available from Red Hat Network: netpbm-progs-9.24-9.AS21.2.ia64.rpm
Available from Red Hat Network: netpbm-devel-9.24-9.AS21.2.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/netpbm-9.24-9.AS21.2.=
src.rpm

ia64:
Available from Red Hat Network: netpbm-9.24-9.AS21.2.ia64.rpm
Available from Red Hat Network: netpbm-progs-9.24-9.AS21.2.ia64.rpm
Available from Red Hat Network: netpbm-devel-9.24-9.AS21.2.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/netpbm-9.24-9.AS21.2.=
src.rpm

i386:
Available from Red Hat Network: netpbm-9.24-9.AS21.2.i386.rpm
Available from Red Hat Network: netpbm-progs-9.24-9.AS21.2.i386.rpm
Available from Red Hat Network: netpbm-devel-9.24-9.AS21.2.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/netpbm-9.24-9.AS21.2.=
src.rpm

i386:
Available from Red Hat Network: netpbm-9.24-9.AS21.2.i386.rpm
Available from Red Hat Network: netpbm-progs-9.24-9.AS21.2.i386.rpm
Available from Red Hat Network: netpbm-devel-9.24-9.AS21.2.i386.rpm

7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
6fbf93f60bdf2da612a836be0d4d3f52 2.1AS/en/os/SRPMS/netpbm-9.24-9.AS21.2.src=
.rpm
20b43ed951b688da3ffcc7734d31f391 2.1AS/en/os/i386/netpbm-9.24-9.AS21.2.i386=
.rpm
c0cefe573eedecb414df3330f0082915 2.1AS/en/os/i386/netpbm-devel-9.24-9.AS21.=
2.i386.rpm
0ab35f51d82f01723282842561adc48e 2.1AS/en/os/i386/netpbm-progs-9.24-9.AS21.=
2.i386.rpm
b0279af8cc9f4de0ea6a963826a58894 2.1AS/en/os/ia64/netpbm-9.24-9.AS21.2.ia64=
.rpm
2380b60da4c6721319900bc2b6678fcf 2.1AS/en/os/ia64/netpbm-devel-9.24-9.AS21.=
2.ia64.rpm
e7b2957c8699aaf3aa33584fefe7066c 2.1AS/en/os/ia64/netpbm-progs-9.24-9.AS21.=
2.ia64.rpm
6fbf93f60bdf2da612a836be0d4d3f52 2.1AW/en/os/SRPMS/netpbm-9.24-9.AS21.2.src=
.rpm
b0279af8cc9f4de0ea6a963826a58894 2.1AW/en/os/ia64/netpbm-9.24-9.AS21.2.ia64=
.rpm
2380b60da4c6721319900bc2b6678fcf 2.1AW/en/os/ia64/netpbm-devel-9.24-9.AS21.=
2.ia64.rpm
e7b2957c8699aaf3aa33584fefe7066c 2.1AW/en/os/ia64/netpbm-progs-9.24-9.AS21.=
2.ia64.rpm
6fbf93f60bdf2da612a836be0d4d3f52 2.1ES/en/os/SRPMS/netpbm-9.24-9.AS21.2.src=
.rpm
20b43ed951b688da3ffcc7734d31f391 2.1ES/en/os/i386/netpbm-9.24-9.AS21.2.i386=
.rpm
c0cefe573eedecb414df3330f0082915 2.1ES/en/os/i386/netpbm-devel-9.24-9.AS21.=
2.i386.rpm
0ab35f51d82f01723282842561adc48e 2.1ES/en/os/i386/netpbm-progs-9.24-9.AS21.=
2.i386.rpm
6fbf93f60bdf2da612a836be0d4d3f52 2.1WS/en/os/SRPMS/netpbm-9.24-9.AS21.2.src=
.rpm
20b43ed951b688da3ffcc7734d31f391 2.1WS/en/os/i386/netpbm-9.24-9.AS21.2.i386=
.rpm
c0cefe573eedecb414df3330f0082915 2.1WS/en/os/i386/netpbm-devel-9.24-9.AS21.=
2.i386.rpm
0ab35f51d82f01723282842561adc48e 2.1WS/en/os/i386/netpbm-progs-9.24-9.AS21.=
2.i386.rpm

These packages are GPG signed by Red Hat for security.  Our key is
available at http://www.redhat.com/solutions/security/news/publickey/

You can verify each package with the following command:
=20=20=20=20
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
=20=20=20=20
    md5sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0146

9. Contact:

The Red Hat security contact is <security@redhat.com>.  More contact
details at http://www.redhat.com/solutions/security/news/contact/

Copyright 2003 Red Hat, Inc.