LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 27th, 2014
Linux Advisory Watch: October 24th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: Updated netpbm packages fix pnmtopng vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Greg Roelofs discovered and fixed several buffer overflows in pnmtopng which is also included in netpbm, a collection of graphic conversion utilities, that can lead to the execution of arbitrary code via a specially crafted PNM file.
 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2005:217
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : netpbm
 Date    : November 30, 2005
 Affected: 10.1, Corporate 2.1, Corporate 3.0
 _______________________________________________________________________
 
 Problem Description:
 
 Greg Roelofs discovered and fixed several buffer overflows in 
 pnmtopng which is also included in netpbm, a collection of 
 graphic conversion utilities, that can lead to the execution of 
 arbitrary code via a specially crafted PNM file.
 
 Multiple buffer overflows in pnmtopng in netpbm 10.0 and 
 earlier allow attackers to execute arbitrary code via a 
 crafted PNM file. (CVE-2005-3632)
 
 An off-by-one buffer overflow in pnmtopng, when using the -alpha 
 command line option, allows attackers to cause a denial of 
 service (crash) and possibly execute arbitrary code via a 
 crafted PNM file with exactly 256 colors. (CVE-2005-3662)
 
 The updated packages have been patched to correct this problem.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3632
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3662
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 10.1:
 550eae5a55b39101687b7a0532219627  10.1/RPMS/libnetpbm9-9.24-8.2.101mdk.i586.rpm
 b3b2ea4437130703b68a5b3868eaec0b  10.1/RPMS/libnetpbm9-devel-9.24-8.2.101mdk.i586.rpm
 653e84715019165ea620d64e5969714f  10.1/RPMS/libnetpbm9-static-devel-9.24-8.2.101mdk.i586.rpm
 ac1db50f9caf2731a0dbc63e55688ef9  10.1/RPMS/netpbm-9.24-8.2.101mdk.i586.rpm
 c0b1026156fd6376adba353b4f5d0528  10.1/SRPMS/netpbm-9.24-8.2.101mdk.src.rpm

 Mandriva Linux 10.1/X86_64:
 a4fb05222ac3917637ae6a0773f7cdc9  x86_64/10.1/RPMS/lib64netpbm9-9.24-8.2.101mdk.x86_64.rpm
 32951fca67c13886bdb779de08f8edf3  x86_64/10.1/RPMS/lib64netpbm9-devel-9.24-8.2.101mdk.x86_64.rpm
 dafac5b2622f774bc311ef6004e4fa3e  x86_64/10.1/RPMS/lib64netpbm9-static-devel-9.24-8.2.101mdk.x86_64.rpm
 6984338299c35aca2489b8dae94e9e65  x86_64/10.1/RPMS/netpbm-9.24-8.2.101mdk.x86_64.rpm
 c0b1026156fd6376adba353b4f5d0528  x86_64/10.1/SRPMS/netpbm-9.24-8.2.101mdk.src.rpm

 Corporate Server 2.1:
 cfeeabb6edac6d7234f6e09beb19ff36  corporate/2.1/RPMS/libnetpbm9-9.24-4.5.C21mdk.i586.rpm
 4b34fb42803f511646d0129d7fc7dd2f  corporate/2.1/RPMS/libnetpbm9-devel-9.24-4.5.C21mdk.i586.rpm
 89b46b4d6a89797916ee54a48a38a732  corporate/2.1/RPMS/libnetpbm9-static-devel-9.24-4.5.C21mdk.i586.rpm
 c4af1176267c16480c3d15f24dcb5db9  corporate/2.1/RPMS/netpbm-9.24-4.5.C21mdk.i586.rpm
 0bf9af1326905eb13fb3f4fb66424653  corporate/2.1/SRPMS/netpbm-9.24-4.5.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 27b0f5ef22581bc5c5c23bf880302c58  x86_64/corporate/2.1/RPMS/libnetpbm9-9.24-4.5.C21mdk.x86_64.rpm
 1743d3247a1e3de046fbf31ce37e443d  x86_64/corporate/2.1/RPMS/libnetpbm9-devel-9.24-4.5.C21mdk.x86_64.rpm
 4e67e3d7940f30c3bc86cf5a2f215543  x86_64/corporate/2.1/RPMS/libnetpbm9-static-devel-9.24-4.5.C21mdk.x86_64.rpm
 7ab637139c9b1977923cae04dd3cc9de  x86_64/corporate/2.1/RPMS/netpbm-9.24-4.5.C21mdk.x86_64.rpm
 0bf9af1326905eb13fb3f4fb66424653  x86_64/corporate/2.1/SRPMS/netpbm-9.24-4.5.C21mdk.src.rpm

 Corporate 3.0:
 784b993f4e0409fe5255c3228c72ea3b  corporate/3.0/RPMS/libnetpbm9-9.24-8.3.C30mdk.i586.rpm
 319272b7f74900cabd06c6fa5e0b52b2  corporate/3.0/RPMS/libnetpbm9-devel-9.24-8.3.C30mdk.i586.rpm
 e6feb19b8b2c0ac6d522c1a73035811d  corporate/3.0/RPMS/libnetpbm9-static-devel-9.24-8.3.C30mdk.i586.rpm
 42406aa8e04afd173d2194b50d11ca13  corporate/3.0/RPMS/netpbm-9.24-8.3.C30mdk.i586.rpm
 17a729bc07c296f77efb87301d122aa6  corporate/3.0/SRPMS/netpbm-9.24-8.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 d0f1d6da66166acfc0ce18dfd55548e1  x86_64/corporate/3.0/RPMS/lib64netpbm9-9.24-8.3.C30mdk.x86_64.rpm
 9e5d975423d7d00a1cfc5b1ea87c07c4  x86_64/corporate/3.0/RPMS/lib64netpbm9-devel-9.24-8.3.C30mdk.x86_64.rpm
 f3f7f6ec681c2edbf29e789e1f9e1887  x86_64/corporate/3.0/RPMS/lib64netpbm9-static-devel-9.24-8.3.C30mdk.x86_64.rpm
 5f27304b1b68639211c34e573c163b52  x86_64/corporate/3.0/RPMS/netpbm-9.24-8.3.C30mdk.x86_64.rpm
 17a729bc07c296f77efb87301d122aa6  x86_64/corporate/3.0/SRPMS/netpbm-9.24-8.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pirate Bay founder guilty in historic hacker case
Parallels CTO: Linux container security is not the problem
Advisory says to assume all Drupal 7 websites are compromised
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.