Slackware: qt vulnerabilities
Posted by LinuxSecurity.com Team   
Slackware Bugs in the routines that handle PNG, BMP, GIF, andJPEG images may allow an attacker to cause unauthorized code to execute whena specially crafted image file is processed.

[slackware-security]  Qt (SSA:2004-236-01)


New Qt packages are available for Slackware 9.0, 9.1, 10.0, and -current to
fix security issues.  Bugs in the routines that handle PNG, BMP, GIF, and
JPEG images may allow an attacker to cause unauthorized code to execute when
a specially crafted image file is processed.  These flaws may also cause
crashes that lead to a denial of service.

More details about these issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693


Here are the details from the Slackware 10.0 ChangeLog:
+--------------------------+
Mon Aug 23 12:12:58 PDT 2004
patches/packages/qt-3.3.3-i486-1.tgz:  Upgraded to qt-3.3.3.
  This fixes bugs in the image loading routines which could be
  used by an attacker to run unauthorized code or create a
  denial-of-service.
  For more details, see:
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated package for Slackware 9.0: 
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/kde/qt-3.1.2-i486-4.tgz

Updated package for Slackware 9.1: 
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/qt-3.2.1-i486-2.tgz

Updated package for Slackware 10.0: 
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/qt-3.3.3-i486-1.tgz

Updated package for Slackware -current: 
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/kde/qt-3.3.3-i486-1.tgz


MD5 signatures:
+-------------+

Slackware 9.0 package:
1c08c5c4565bc9705c77c68158b243ff  qt-3.1.2-i486-4.tgz

Slackware 9.1 package:
0ac3036c617f3236d868524d7b04c9ac  qt-3.2.1-i486-2.tgz

Slackware 10.0 package:
58f31da25d9e03b6d00bda1402c361ef  qt-3.3.3-i486-1.tgz

Slackware -current package:
58f31da25d9e03b6d00bda1402c361ef  qt-3.3.3-i486-1.tgz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg qt-3.3.3-i486-1.tgz


+-----+

Slackware Linux Security Team 
http://slackware.com/gpg-key
security@slackware.com