The following URL contains source and binary packages for powerpc resolving
CAN-2005-0605[1], which is described as:
The XPM library's scan.c file may allow attackers to execute arbitrary code
by crafting a malicious XPM image file containing a negative bitmap_unit
value that provokes a buffer overflow.
I'm attaching a GPG-signed file, MD5SUMS.txt, that you can use to verify
the download.
This package makes two changes:
1) It applies the purported fix for CAN-2005-0605. I know of no exploit
for this vulnerability, so I was unable to test this.
2) It fixes the regression in XPM file-writing introduced by the fix for
CAN-2004-0914 (in -16woody5). I confirmed that saving XPM files in a
woody environment with -16woody5 with the GIMP didn't work, and that
upgrading to -16woody6 restored the functionality.
Please also find at the above URL:
* my package build log, xfree86_4.1.0-16woody6_powerpc.build; I built in a
clean, up-to-date woody chroot
* xfree86_4.1.0-16woody6_qa_install_purge.typescript, a transcript of
installing and purging these packages in a woody chroot
* xfree86_4.1.0-16woody6_qa_upgrade_downgrade.typescript, a transcript of
upgrading these packages from -16woody5 and downgrading them back to
-16woody5 in a woody chroot
* test-x11-packages, the shell script I used to automate the above QA tests
Please let me know if you require anything else regarding this
vulnerability.
--
G. Branden Robinson | Somewhere, there is a .sig so funny
Debian GNU/Linux | that reading it will cause an
<email address hidden> | aneurysm. This is not that .sig. http://people.debian.org/~branden/ |
The following URL contains source and binary packages for powerpc resolving
CAN-2005-0605[1], which is described as:
The XPM library's scan.c file may allow attackers to execute arbitrary code
by crafting a malicious XPM image file containing a negative bitmap_unit
value that provokes a buffer overflow.
http:// redwald. deadbeast. net/tmp/ CAN-2005- 0605/
I'm attaching a GPG-signed file, MD5SUMS.txt, that you can use to verify
the download.
This package makes two changes:
1) It applies the purported fix for CAN-2005-0605. I know of no exploit
for this vulnerability, so I was unable to test this.
2) It fixes the regression in XPM file-writing introduced by the fix for
CAN-2004-0914 (in -16woody5). I confirmed that saving XPM files in a
woody environment with -16woody5 with the GIMP didn't work, and that
upgrading to -16woody6 restored the functionality.
Please also find at the above URL: 4.1.0-16woody6_ powerpc. build; I built in a 4.1.0-16woody6_ qa_install_ purge.typescrip t, a transcript of 4.1.0-16woody6_ qa_upgrade_ downgrade. typescript, a transcript of
* my package build log, xfree86_
clean, up-to-date woody chroot
* xfree86_
installing and purging these packages in a woody chroot
* xfree86_
upgrading these packages from -16woody5 and downgrading them back to
-16woody5 in a woody chroot
* test-x11-packages, the shell script I used to automate the above QA tests
Please let me know if you require anything else regarding this
vulnerability.
[1] http:// cve.mitre. org/cgi- bin/cvename. cgi?name= CAN-2005- 0605
-- people. debian. org/~branden/ |
G. Branden Robinson | Somewhere, there is a .sig so funny
Debian GNU/Linux | that reading it will cause an
<email address hidden> | aneurysm. This is not that .sig.
http://