[RHSA-2004:414-01] Updated qt packages fix security issues

bugzilla at redhat.com bugzilla at redhat.com
Fri Aug 20 20:51:00 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated qt packages fix security issues
Advisory ID:       RHSA-2004:414-01
Issue date:        2004-08-20
Updated on:        2004-08-20
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
- ---------------------------------------------------------------------

1. Summary:

Updated qt packages that fix security issues in several of the image
decoders are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

Qt is a software toolkit that simplifies the task of writing and
maintaining GUI (Graphical User Interface) applications for the X Window
System.

During a security audit, Chris Evans discovered a heap overflow in the BMP
image decoder in Qt versions prior to 3.3.3.   An attacker could create a
carefully crafted BMP file in such a way that it would cause an application
linked with Qt to crash or possibly execute arbitrary code when the file
was opened by a victim.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0691 to this issue.

Additionally, various flaws were discovered in the GIF, XPM, and JPEG
decoders in Qt versions prior to 3.3.3. An attacker could create carefully
crafted image files in such a way that it could cause an application linked
against Qt to crash when the file was opened by a victim.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CAN-2004-0692 and CAN-2004-0693 to these issues.

Users of Qt should update to these updated packages which contain
backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

128720 - CAN-2004-0691 BMP decoder heap overflow

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/qt-2.3.1-10.src.rpm
3b684906082e180dddd38404dca633f4  qt-2.3.1-10.src.rpm

i386:
4abae89892524349c1413e9edfe1c580  qt-2.3.1-10.i386.rpm
f8a7bc552d89a93c8de95d31bbf3fb6c  qt-Xt-2.3.1-10.i386.rpm
ba3283b0ecab676ca709746c7b9aad17  qt-designer-2.3.1-10.i386.rpm
f9542947d96f0a40694026bddc6088b3  qt-devel-2.3.1-10.i386.rpm
08a3108d33c0391926515c8831e80e32  qt-static-2.3.1-10.i386.rpm

ia64:
7a5212ecdd3bdfd6e7c22430cab707ca  qt-2.3.1-10.ia64.rpm
163badec57860c0751ee49a74a863197  qt-Xt-2.3.1-10.ia64.rpm
62890a5783dea02beb1bd19e2c2b9476  qt-designer-2.3.1-10.ia64.rpm
4dc9f6a9177f16561371b41701cc8ca3  qt-devel-2.3.1-10.ia64.rpm
f5bb921423a761d4412a45d8407960e9  qt-static-2.3.1-10.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/qt-2.3.1-10.src.rpm
3b684906082e180dddd38404dca633f4  qt-2.3.1-10.src.rpm

ia64:
7a5212ecdd3bdfd6e7c22430cab707ca  qt-2.3.1-10.ia64.rpm
163badec57860c0751ee49a74a863197  qt-Xt-2.3.1-10.ia64.rpm
62890a5783dea02beb1bd19e2c2b9476  qt-designer-2.3.1-10.ia64.rpm
4dc9f6a9177f16561371b41701cc8ca3  qt-devel-2.3.1-10.ia64.rpm
f5bb921423a761d4412a45d8407960e9  qt-static-2.3.1-10.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/qt-2.3.1-10.src.rpm
3b684906082e180dddd38404dca633f4  qt-2.3.1-10.src.rpm

i386:
4abae89892524349c1413e9edfe1c580  qt-2.3.1-10.i386.rpm
f8a7bc552d89a93c8de95d31bbf3fb6c  qt-Xt-2.3.1-10.i386.rpm
ba3283b0ecab676ca709746c7b9aad17  qt-designer-2.3.1-10.i386.rpm
f9542947d96f0a40694026bddc6088b3  qt-devel-2.3.1-10.i386.rpm
08a3108d33c0391926515c8831e80e32  qt-static-2.3.1-10.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/qt-2.3.1-10.src.rpm
3b684906082e180dddd38404dca633f4  qt-2.3.1-10.src.rpm

i386:
4abae89892524349c1413e9edfe1c580  qt-2.3.1-10.i386.rpm
f8a7bc552d89a93c8de95d31bbf3fb6c  qt-Xt-2.3.1-10.i386.rpm
ba3283b0ecab676ca709746c7b9aad17  qt-designer-2.3.1-10.i386.rpm
f9542947d96f0a40694026bddc6088b3  qt-devel-2.3.1-10.i386.rpm
08a3108d33c0391926515c8831e80e32  qt-static-2.3.1-10.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/qt-3.1.2-13.4.src.rpm
f798532e2259e3027eb64a86f471c989  qt-3.1.2-13.4.src.rpm

i386:
171e31325a6974fe6b3161b0dd935e05  qt-3.1.2-13.4.i386.rpm
53450013bb108936c88d7a68797400b5  qt-MySQL-3.1.2-13.4.i386.rpm
c5372ac10529b611504c48fd1876d32a  qt-config-3.1.2-13.4.i386.rpm
dde05008907a4402aeec64bd1fef25d8  qt-designer-3.1.2-13.4.i386.rpm
7e9621c8793aeece8c6697a301fdaf85  qt-devel-3.1.2-13.4.i386.rpm

ia64:
0162f98d41303ed47435fd634a49aa16  qt-3.1.2-13.4.ia64.rpm
83f81146ad6ff84575f221104e109a10  qt-MySQL-3.1.2-13.4.ia64.rpm
0b81a3f2c8ab00775d533c30129fe314  qt-config-3.1.2-13.4.ia64.rpm
d7ff6cb677ea02273909f44018a4de02  qt-designer-3.1.2-13.4.ia64.rpm
c93acbc881f899cbd944f74c2710c1dd  qt-devel-3.1.2-13.4.ia64.rpm

ppc:
342ed7861c4723143f22841155837163  qt-3.1.2-13.4.ppc.rpm
f95779e3c785a8ca620b795a50c3a2b7  qt-MySQL-3.1.2-13.4.ppc.rpm
d89c0631d249d3596cb0b7f3715d8c71  qt-config-3.1.2-13.4.ppc.rpm
b5c58797337ec1c953a127d145241d70  qt-designer-3.1.2-13.4.ppc.rpm
4138557b0f597ede980c64e4e74debd3  qt-devel-3.1.2-13.4.ppc.rpm

s390:
57951d45d98f46fe6f2326b16f23ea1b  qt-3.1.2-13.4.s390.rpm
98b7677e8b7fa4d84583cfe8e92a91f4  qt-MySQL-3.1.2-13.4.s390.rpm
b9f50cd8f014e9e39249dbfbe17b1398  qt-config-3.1.2-13.4.s390.rpm
2c140a0776e2ce98c273b7e628d86d23  qt-designer-3.1.2-13.4.s390.rpm
5e23428d4621c10ca60bf29d7d2a6ed7  qt-devel-3.1.2-13.4.s390.rpm

s390x:
8f95df939142d43f0078f5a770850bb2  qt-3.1.2-13.4.s390x.rpm
5cc08910b564eed93b3f78c05261a176  qt-MySQL-3.1.2-13.4.s390x.rpm
73c6e602b9a45864a82d16314deba9c0  qt-config-3.1.2-13.4.s390x.rpm
eae10bfa4b34cfbfd29f09e4d7368728  qt-designer-3.1.2-13.4.s390x.rpm
fff3b6f404743fa76b5ba21f3a18e20d  qt-devel-3.1.2-13.4.s390x.rpm

x86_64:
24fbbe3a8cc3a9636e64cbecb62c52c1  qt-3.1.2-13.4.x86_64.rpm
b4ca1ae5a331c4d30d75d2dcd1e53280  qt-MySQL-3.1.2-13.4.x86_64.rpm
a684d66936b37ed87281ce2f8a49448b  qt-config-3.1.2-13.4.x86_64.rpm
d945dc65e4120b87f0fa6c0a77c129ee  qt-designer-3.1.2-13.4.x86_64.rpm
814f662f0561c1dc07cb60a287487494  qt-devel-3.1.2-13.4.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/qt-3.1.2-13.4.src.rpm
f798532e2259e3027eb64a86f471c989  qt-3.1.2-13.4.src.rpm

i386:
171e31325a6974fe6b3161b0dd935e05  qt-3.1.2-13.4.i386.rpm
53450013bb108936c88d7a68797400b5  qt-MySQL-3.1.2-13.4.i386.rpm
c5372ac10529b611504c48fd1876d32a  qt-config-3.1.2-13.4.i386.rpm
dde05008907a4402aeec64bd1fef25d8  qt-designer-3.1.2-13.4.i386.rpm
7e9621c8793aeece8c6697a301fdaf85  qt-devel-3.1.2-13.4.i386.rpm

x86_64:
24fbbe3a8cc3a9636e64cbecb62c52c1  qt-3.1.2-13.4.x86_64.rpm
b4ca1ae5a331c4d30d75d2dcd1e53280  qt-MySQL-3.1.2-13.4.x86_64.rpm
a684d66936b37ed87281ce2f8a49448b  qt-config-3.1.2-13.4.x86_64.rpm
d945dc65e4120b87f0fa6c0a77c129ee  qt-designer-3.1.2-13.4.x86_64.rpm
814f662f0561c1dc07cb60a287487494  qt-devel-3.1.2-13.4.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/qt-3.1.2-13.4.src.rpm
f798532e2259e3027eb64a86f471c989  qt-3.1.2-13.4.src.rpm

i386:
171e31325a6974fe6b3161b0dd935e05  qt-3.1.2-13.4.i386.rpm
53450013bb108936c88d7a68797400b5  qt-MySQL-3.1.2-13.4.i386.rpm
c5372ac10529b611504c48fd1876d32a  qt-config-3.1.2-13.4.i386.rpm
dde05008907a4402aeec64bd1fef25d8  qt-designer-3.1.2-13.4.i386.rpm
7e9621c8793aeece8c6697a301fdaf85  qt-devel-3.1.2-13.4.i386.rpm

ia64:
0162f98d41303ed47435fd634a49aa16  qt-3.1.2-13.4.ia64.rpm
83f81146ad6ff84575f221104e109a10  qt-MySQL-3.1.2-13.4.ia64.rpm
0b81a3f2c8ab00775d533c30129fe314  qt-config-3.1.2-13.4.ia64.rpm
d7ff6cb677ea02273909f44018a4de02  qt-designer-3.1.2-13.4.ia64.rpm
c93acbc881f899cbd944f74c2710c1dd  qt-devel-3.1.2-13.4.ia64.rpm

x86_64:
24fbbe3a8cc3a9636e64cbecb62c52c1  qt-3.1.2-13.4.x86_64.rpm
b4ca1ae5a331c4d30d75d2dcd1e53280  qt-MySQL-3.1.2-13.4.x86_64.rpm
a684d66936b37ed87281ce2f8a49448b  qt-config-3.1.2-13.4.x86_64.rpm
d945dc65e4120b87f0fa6c0a77c129ee  qt-designer-3.1.2-13.4.x86_64.rpm
814f662f0561c1dc07cb60a287487494  qt-devel-3.1.2-13.4.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/qt-3.1.2-13.4.src.rpm
f798532e2259e3027eb64a86f471c989  qt-3.1.2-13.4.src.rpm

i386:
171e31325a6974fe6b3161b0dd935e05  qt-3.1.2-13.4.i386.rpm
53450013bb108936c88d7a68797400b5  qt-MySQL-3.1.2-13.4.i386.rpm
c5372ac10529b611504c48fd1876d32a  qt-config-3.1.2-13.4.i386.rpm
dde05008907a4402aeec64bd1fef25d8  qt-designer-3.1.2-13.4.i386.rpm
7e9621c8793aeece8c6697a301fdaf85  qt-devel-3.1.2-13.4.i386.rpm

ia64:
0162f98d41303ed47435fd634a49aa16  qt-3.1.2-13.4.ia64.rpm
83f81146ad6ff84575f221104e109a10  qt-MySQL-3.1.2-13.4.ia64.rpm
0b81a3f2c8ab00775d533c30129fe314  qt-config-3.1.2-13.4.ia64.rpm
d7ff6cb677ea02273909f44018a4de02  qt-designer-3.1.2-13.4.ia64.rpm
c93acbc881f899cbd944f74c2710c1dd  qt-devel-3.1.2-13.4.ia64.rpm

x86_64:
24fbbe3a8cc3a9636e64cbecb62c52c1  qt-3.1.2-13.4.x86_64.rpm
b4ca1ae5a331c4d30d75d2dcd1e53280  qt-MySQL-3.1.2-13.4.x86_64.rpm
a684d66936b37ed87281ce2f8a49448b  qt-config-3.1.2-13.4.x86_64.rpm
d945dc65e4120b87f0fa6c0a77c129ee  qt-designer-3.1.2-13.4.x86_64.rpm
814f662f0561c1dc07cb60a287487494  qt-devel-3.1.2-13.4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key.html#package

7. References:

http://www.trolltech.com/developer/changes/changes-3.3.3.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBJmRMXlSAg2UNWIIRAgGuAJ47rSXO5ljKjG461jEUAjUr9ZHx2ACfQHpe
Modu9FzeCeLUxURKIEw7nSc=
=AEdV
-----END PGP SIGNATURE-----





More information about the Enterprise-watch-list mailing list