RHEL 3 : gtk2 (RHSA-2004:466)

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated gtk2 packages that fix several security flaws and bugs are now
available.

The gtk2 package contains the GIMP ToolKit (GTK+), a library for
creating graphical user interfaces for the X Window System.

During testing of a previously fixed flaw in Qt (CVE-2004-0691), a
flaw was discovered in the BMP image processor of gtk2. An attacker
could create a carefully crafted BMP file which would cause an
application to enter an infinite loop and not respond to user input
when the file was opened by a victim. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2004-0753
to this issue.

During a security audit Chris Evans discovered a stack and a heap
overflow in the XPM image decoder. An attacker could create a
carefully crafted XPM file which could cause an application linked
with gtk2 to crash or possibly execute arbitrary code when the file
was opened by a victim. (CVE-2004-0782, CVE-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image
decoder. An attacker could create a carefully crafted ICO file which
could cause an application linked with gtk2 to crash when the file was
opened by a victim. (CVE-2004-0788)

This updated gtk2 package also fixes a few key combination bugs on
various X servers, such as Hummingbird, ReflectionX, and X-Win32. If a
server was configured to use the Swiss German, Swiss French, or France
French keyboard layouts, Mode_Switched characters were unable to be
entered within GTK based applications.

Users of gtk2 are advised to upgrade to these packages which contain
backported patches and are not vulnerable to these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2004-0753.html
https://www.redhat.com/security/data/cve/CVE-2004-0782.html
https://www.redhat.com/security/data/cve/CVE-2004-0783.html
https://www.redhat.com/security/data/cve/CVE-2004-0788.html
http://bugzilla.gnome.org/show_bug.cgi?id=150601
http://bugzilla.gnome.org/show_bug.cgi?id=144808
http://rhn.redhat.com/errata/RHSA-2004-466.html

Solution :

Update the affected gtk2 and / or gtk2-devel packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: Red Hat Local Security Checks

Nessus Plugin ID: 14734 ()

Bugtraq ID:

CVE ID: CVE-2004-0753
CVE-2004-0782
CVE-2004-0783
CVE-2004-0788