Slackware Security Advisories
Slackware Logo

News

Security Advisories

FAQ

Book

General Info

Get Slack

Install Help

Configuration

Packages

ChangeLogs

Propaganda

Ports

Other Sites

Support

Contact

Mailing Lists

About

 
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] X.Org pixmap overflow (SSA:2005-269-02)
Date: Mon, 26 Sep 2005 10:43:04 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  X.Org pixmap overflow (SSA:2005-269-02)

New X.Org server packages are available for Slackware 10.0, 10.1, 10.2,
and -current to fix a security issue.  An integer overflow in the pixmap
handling code may allow the execution of arbitrary code through a
specially crafted pixmap.  Slackware 10.2 was patched against this
vulnerability before its release, but new server packages are being issued
for Slackware 10.2 and -current using an improved patch, as there were
some bug reports using certain programs.

More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495


Here are the details from the Slackware 10.2 ChangeLog:
+--------------------------+
patches/packages/x11-6.8.2-i486-4.tgz:  Rebuilt with a modified patch for
  an earlier pixmap overflow issue.  The patch released by X.Org was
  slightly different than the one that was circulated previously, and is
  an improved version.  There have been reports that the earlier patch
  broke WINE and possibly some other programs.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495
  (* Security fix *)
patches/packages/x11-xdmx-6.8.2-i486-4.tgz:  Patched and rebuilt.
patches/packages/x11-xnest-6.8.2-i486-4.tgz:  Patched and rebuilt.
patches/packages/x11-xvfb-6.8.2-i486-4.tgz:  Patched and rebuilt.
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated packages for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/x11-6.7.0-i486-5.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/x11-xnest-6.7.0-i486-5.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/x11-xprt-6.7.0-i486-5.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/x11-xvfb-6.7.0-i486-5.tgz

Updated packages for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/x11-6.8.1-i486-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/x11-xdmx-6.8.1-i486-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/x11-xnest-6.8.1-i486-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/x11-xvfb-6.8.1-i486-4.tgz

Updated packages for Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/x11-6.8.2-i486-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/x11-xdmx-6.8.2-i486-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/x11-xnest-6.8.2-i486-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/x11-xvfb-6.8.2-i486-4.tgz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/x/x11-6.8.2-i486-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/x/x11-xdmx-6.8.2-i486-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/x/x11-xnest-6.8.2-i486-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/x/x11-xvfb-6.8.2-i486-4.tgz


MD5 signatures:
+-------------+

Slackware 10.0 packages:
1bc91e0bcc5ec6a9c14d728c51183fd7  x11-6.7.0-i486-5.tgz
6180731d856ba85a3fc969db38a13b2b  x11-xnest-6.7.0-i486-5.tgz
712b35b6be7c7a9c842c0b8e1bdf8c83  x11-xprt-6.7.0-i486-5.tgz
5a90472a1b26654ba7bacfba36543b6d  x11-xvfb-6.7.0-i486-5.tgz

Slackware 10.1 packages:
8c4c1d22b905e1f6dfc8e4721fdf63ec  x11-6.8.1-i486-4.tgz
b99d32111d356b0d2aee411c225410a0  x11-xdmx-6.8.1-i486-4.tgz
32f38f8460e3497306a733bfa99734f4  x11-xnest-6.8.1-i486-4.tgz
0bbf1cef5073760df8a8da9ae62d8d9c  x11-xvfb-6.8.1-i486-4.tgz

Slackware 10.2 packages:
0eb01e379a10ff71e12839eab4d42e75  x11-6.8.2-i486-4.tgz
c62c307abeeea2a046294cc6ce034293  x11-xdmx-6.8.2-i486-4.tgz
96244507602c137f5fd068517e283c54  x11-xnest-6.8.2-i486-4.tgz
9504e79008fe9547f2e5a834f4466253  x11-xvfb-6.8.2-i486-4.tgz

Slackware -current packages:
0eb01e379a10ff71e12839eab4d42e75  x11-6.8.2-i486-4.tgz
c62c307abeeea2a046294cc6ce034293  x11-xdmx-6.8.2-i486-4.tgz
96244507602c137f5fd068517e283c54  x11-xnest-6.8.2-i486-4.tgz
9504e79008fe9547f2e5a834f4466253  x11-xvfb-6.8.2-i486-4.tgz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg x11-6.8.2-i486-4.tgz

And, if you use these optional servers:

# upgradepkg x11-xdmx-6.8.2-i486-4.tgz
# upgradepkg x11-xnest-6.8.2-i486-4.tgz
# upgradepkg x11-xvfb-6.8.2-i486-4.tgz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFDOCXPakRjwEAQIjMRAk72AJ4rHpa4inckd9GxNsO4LAVtJxADqQCfVNz+
oabAwaJZNygaGsf/T2z/Nz8=
=ijVo
-----END PGP SIGNATURE-----

Slackware™ is a trademark of Patrick Volkerding.