Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » [CLA-2002:548] Conectiva Linux Security Announcement - windowmaker

[CLA-2002:548] Conectiva Linux Security Announcement - windowmaker

by Nikola Strahija on November 18th, 2002 Window Maker[1] is a very popular window manager. Al Viro reported a vulnerability[2] in a function that is used when Window Maker loads images. This function is used, for example, when a new background image is configured, and when previewing themes.


This function calculates the ammount of memory necessary to load the
image by doing a multiplication. It does not, however, check the
result of this multiplication, which could suffer an integer overflow
and not fit into the destination variable. Given a sufficiently large
height and/or width parameter, a less than needed ammount of memory
would be allocated, which would result in a buffer overflow later on
when the image is actually loaded.

A possible scenario for this vulnerability could be that of an
attacker making a specially crafted image available and convincing an
unsuspecting user to set it as a background image.


SOLUTION
It is recommended that all Window Maker users upgrade their
packages.

IMPORTANT: if Window Maker is in use during the update, it will have
to be restarted manually. This can be done via the "Exit -> Restart"
menu.


REFERENCES
1. http://www.windowmaker.org/
2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1277


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/WindowMaker-0.62.1-13U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/WindowMaker-0.62.1-13U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/WindowMaker-devel-0.62.1-13U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/WindowMaker-0.65.1-2U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/WindowMaker-0.65.1-2U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/WindowMaker-devel-0.65.1-2U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/WindowMaker-devel-static-0.65.1-2U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/WindowMaker-doc-0.65.1-2U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/WindowMaker-0.80.0-3U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/WindowMaker-0.80.0-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/WindowMaker-devel-0.80.0-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/WindowMaker-devel-static-0.80.0-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/WindowMaker-doc-0.80.0-3U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/libwraster-2.2.0-13U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/libwraster-devel-2.2.0-13U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/libwraster-devel-static-2.2.0-13U80_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):

rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE92PTo42jd0JmAcZARAuaiAJ9fFjBSaM+nIbyEETz0owqzgv1jOQCgoO/M
JMwiprOgrWPFCrAODLMuUOA=
=vtFt
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »