The following URL contains source and binary packages for powerpc resolving
CAN-2005-0605[1], which is described as:
The XPM library's scan.c file may allow attackers to execute arbitrary co=
de
by crafting a malicious XPM image file containing a negative bitmap_unit
value that provokes a buffer overflow.
I'm attaching a GPG-signed file, MD5SUMS.txt, that you can use to verify
the download.
This package makes two changes:
1) It applies the purported fix for CAN-2005-0605. I know of no exploit
for this vulnerability, so I was unable to test this.
2) It fixes the regression in XPM file-writing introduced by the fix for
CAN-2004-0914 (in -16woody5). I confirmed that saving XPM files in a
woody environment with -16woody5 with the GIMP didn't work, and that
upgrading to -16woody6 restored the functionality.
Please also find at the above URL:
* my package build log, xfree86_4.1.0-16woody6_powerpc.build; I built in a
clean, up-to-date woody chroot
* xfree86_4.1.0-16woody6_qa_install_purge.typescript, a transcript of
installing and purging these packages in a woody chroot
* xfree86_4.1.0-16woody6_qa_upgrade_downgrade.typescript, a transcript of
upgrading these packages from -16woody5 and downgrading them back to
-16woody5 in a woody chroot
* test-x11-packages, the shell script I used to automate the above QA tests
Please let me know if you require anything else regarding this
vulnerability.
--=20
G. Branden Robinson | Somewhere, there is a .sig so funny
Debian GNU/Linux | that reading it will cause an
<email address hidden> | aneurysm. This is not that .sig. http://people.debian.org/~branden/ |
Message-ID: <email address hidden>
Date: Fri, 11 Mar 2005 03:35:32 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
--ONvqYzh+7ST5RsLk "0XMZdl/ q8hSSmFeD" Disposition: inline
Content-Type: multipart/mixed; boundary=
Content-
--0XMZdl/q8hSSmFeD Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
The following URL contains source and binary packages for powerpc resolving
CAN-2005-0605[1], which is described as:
The XPM library's scan.c file may allow attackers to execute arbitrary co=
de
by crafting a malicious XPM image file containing a negative bitmap_unit
value that provokes a buffer overflow.
http:// redwald. deadbeast. net/tmp/ CAN-2005- 0605/
I'm attaching a GPG-signed file, MD5SUMS.txt, that you can use to verify
the download.
This package makes two changes:
1) It applies the purported fix for CAN-2005-0605. I know of no exploit
for this vulnerability, so I was unable to test this.
2) It fixes the regression in XPM file-writing introduced by the fix for
CAN-2004-0914 (in -16woody5). I confirmed that saving XPM files in a
woody environment with -16woody5 with the GIMP didn't work, and that
upgrading to -16woody6 restored the functionality.
Please also find at the above URL: 4.1.0-16woody6_ powerpc. build; I built in a 4.1.0-16woody6_ qa_install_ purge.typescrip t, a transcript of 4.1.0-16woody6_ qa_upgrade_ downgrade. typescript, a transcript of
* my package build log, xfree86_
clean, up-to-date woody chroot
* xfree86_
installing and purging these packages in a woody chroot
* xfree86_
upgrading these packages from -16woody5 and downgrading them back to
-16woody5 in a woody chroot
* test-x11-packages, the shell script I used to automate the above QA tests
Please let me know if you require anything else regarding this
vulnerability.
[1] http:// cve.mitre. org/cgi- bin/cvename. cgi?name= 3DCAN-2005- 0605
--=20 people. debian. org/~branden/ |
G. Branden Robinson | Somewhere, there is a .sig so funny
Debian GNU/Linux | that reading it will cause an
<email address hidden> | aneurysm. This is not that .sig.
http://
--0XMZdl/q8hSSmFeD Disposition: attachment; filename= "MD5SUMS. txt"
Content-Type: text/plain; charset=us-ascii
Content-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
dc1bbb9c290e460 0aadb70f16a6a54 82 test-x11-packages 0326858efe9a6ce de lbxproxy_ 4.1.0-16woody6_ powerpc. deb fa7ca9e343c6816 3e libdps- dev_4.1. 0-16woody6_ powerpc. deb 521a0936c3fd97a 9c libdps1- dbg_4.1. 0-16woody6_ powerpc. deb 534f5b7e664f34d e7 libdps1_ 4.1.0-16woody6_ powerpc. deb 8bf2dae55bb6a31 ee libxaw6- dbg_4.1. 0-16woody6_ powerpc. deb df1f6a1dbd43a7c 99 libxaw6- dev_4.1. 0-16woody6_ powerpc. deb 1956a645115629c 83 libxaw6_ 4.1.0-16woody6_ powerpc. deb 108e2ecf164e038 34 libxaw7- dbg_4.1. 0-16woody6_ powerpc. deb 7fe387ff8280cc9 0a libxaw7- dev_4.1. 0-16woody6_ powerpc. deb e53ffda14610951 e5 libxaw7_ 4.1.0-16woody6_ powerpc. deb 807d54e6407e98b 5a proxymngr_ 4.1.0-16woody6_ powerpc. deb cef17e218f03652 c3 twm_4.1. 0-16woody6_ powerpc. deb 32e8b07b39a6c75 d1 x-window- system- core_4. 1.0-16woody6_ powerpc. deb e5e74454c5f7e7c 53 x-window- system_ 4.1.0-16woody6_ all.deb 1f4717d0227a34f 6c xbase-clients_ 4.1.0-16woody6_ powerpc. deb 9381d20bddd666f 62 xdm_4.1. 0-16woody6_ powerpc. deb 48c57e92fe5d67f a1 xfonts- 100dpi- transcoded_ 4.1.0-16woody6_ all.deb 7c6cc44ef44a87c dd xfonts- 100dpi_ 4.1.0-16woody6_ all.deb ff5a38908f21db0 63 xfonts- 75dpi-transcode d_4.1.0- 16woody6_ all.deb 1385be6ee9b372c 01 xfonts- 75dpi_4. 1.0-16woody6_ all.deb 123de040769a8e6 d3 xfonts- base-transcoded _4.1.0- 16woody6_ all.deb 13804dc5084f37f df xfonts- base_4. 1.0-16woody6_ all.deb 3b2f690a48a8a4a 2b xfonts- cyrillic_ 4.1.0-16woody6_ all.deb 686f66469514cd7 39 xfonts- pex_4.1. 0-16woody6_ all.deb 5d03e3129c43706 d1 xfonts- scalable_ 4.1.0-16woody6_ all.deb ae0f13b63cbc161 c2 xfree86- common_ 4.1.0-16woody6_ all.deb a939c9165796410 4d xfree86_ 4.1.0-16woody6. diff.gz 43930c7ab9eefee 78 xfree86_ 4.1.0-16woody6. dsc a0ff1a7bd539cb6 0b xfree86_ 4.1.0-16woody6_ powerpc. build 702537b4209efbe 86 xfree86_ 4.1.0-16woody6_ powerpc. changes 2edd06b8febf241 e2 xfree86_ 4.1.0-16woody6_ qa_install_ purge.typescrip t 740a6914cfd2207 4f xfree86_ 4.1.0-16woody6_ qa_upgrade_ downgrade. typescript 2ce1eef1ecd5b76 d4 xfs_4.1. 0-16woody6_ powerpc. deb 92e5ae2c1d12e18 0d xfwp_4. 1.0-16woody6_ powerpc. deb 1d3d14727eb61c0 5b xlib6g- dev_4.1. 0-16woody6_ all.deb cae09e66601212f be xlib6g_ 4.1.0-16woody6_ all.deb d21c81d06c56b78 e3 xlibmesa- dev_4.1. 0-16woody6_ powerpc. deb 591e8459c65628b 5c xlibmesa3- dbg_4.1. 0-16woody6_ powerpc. deb b877120ed97113f 8c xlibmesa3_ 4.1.0-16woody6_ powerpc. deb 1f4c5e42b89576b 9b xlibosmesa- dev_4.1. 0-16woody6_ powerpc. deb 45d5db5f02de79f 09 xlibosmesa3- dbg_4.1. 0-16woody6_ powerpc. deb ca93f431944ad77 2a xlibosmesa3_ 4.1.0-16woody6_ powerpc. deb 60d6acd0d0148cd 77 xlibs-dbg_ 4.1.0-16woody6_ powerpc. deb ff4416091f53e07 33 xlibs-dev_ 4.1.0-16woody6_ powerpc. deb d47b7207130bb9d 91 xlibs-pic_ 4.1.0-16woody6_ powerpc. deb f9c709caba2139e af xlibs_4. 1.0-16woody6_ powerpc. deb e76dfd5bf0c90bb bd xmh_4.1. 0-16woody6_ powerpc. deb 5539f7bd1fd3678 19 xnest_4. 1.0-16woody6_ powerpc. deb bf532947e0cd2a0 99 xprt_4. 1.0-16woody6_ powerpc. deb 6c6fbb58bc91ba5 8a xserver- common_ 4.1.0-16woody6_ powerpc. deb 0687bbe3085b0d6 fd xserver- xfree86_ 4.1.0-16woody6_ powerpc. deb d5bc5890027bab8 f4 xspecs_ 4.1.0-16woody6_ all.deb 21164e4c2d9eeea 2a xterm_4. 1.0-16woody6_ powerpc. deb 87eb9c6f8aa12f1 2d xutils_ 4.1.0-16woody6_ powerpc. deb 1c5b6fb21d4e66a d6 xvfb_4. 1.0-16woody6_ powerpc. deb
7eaf6c70e8487b4
d027aec099ddc53
7426a90be3e1ab4
2c4328c9b53c408
57afc54ca1cb13c
d212615fe6cef3b
e71a3371682dc10
ae63ca1629e7fbd
e4e0b7bdb045587
a4ca4226ecaf53d
e6aa9713af00c7c
a9f8e7cdb313665
a099b36fdbf3721
08a53813d34d9a2
5be95fe04d680aa
fb26770ba449973
a69ba7cf04cd936
ba27930aebe1220
0f0faa942f6df46
25cd64b4d052a7d
fdcef7a8e491ed8
365fb081b267cd1
fd9d3acaf63fa2a
30b4a4293af19e2
5018c7dd32cc4f4
12473d63f53c71a
30487abd663a975
008341b53216f42
768ea5dd8729b95
bc2c2003f214a8a
2494e069b22ee96
2a82f939e11da62
2d031eb29080b08
f77f6400d4bd0d1
7a75e5d70dc1533
84a188aabd59f70
d8e0aadb5730ec7
600c6ac00706439
83f7194c6dab6d3
6e7183c6bce4dee
e01430792026abc
e607f4c0028644a
2b94a31e8798922
809d19f5c70c265
df6bdf9bd2172fd
2fa3b758a4d1250
6491f358a6a6b5a
af34c702efaa36f
581ddd926fa9aa1
e21b47ed2cdc09a
7c876bccbdbc793
adfd6a36e51dbdd
c327deb7b54d190
15634dc9627f240
55eb652663a69e1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iEYEARECAAYFAkI xVVwACgkQ6kxmHy tGonyExACfflsqZ fc2zQJdYHXlCehh mwlk 3iNoaXlfWoJFkOy QZ
pnoAoIHhmi31gi5
=rr59
-----END PGP SIGNATURE-----
--0XMZdl/ q8hSSmFeD- -
--ONvqYzh+7ST5RsLk pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
xWFQACgkQ6kxmHy tGony5CwCfUOqbw ysGMDxBOGTEBepm ZIHw edjwfBpH3j+ KfEXPI
Version: GnuPG v1.4.0 (GNU/Linux)
iEYEARECAAYFAkI
oJcAoKGOPoncxbp
=Jbsp
-----END PGP SIGNATURE-----
--ONvqYzh+ 7ST5RsLk- -