Scientific Linux Security Update : gtk2 on SL5.x i386/x86_64

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

An integer overflow flaw was found in the X BitMap (XBM) image file
loader in GTK+. A remote attacker could provide a specially-crafted
XBM image file that, when opened in an application linked against GTK+
(such as Nautilus), would cause the application to crash.
(CVE-2012-2370)

This update also fixes the following bugs :

- Due to a bug in the Input Method GTK+ module, the usage
of the Taiwanese Big5 (zh_TW.Big-5) locale led to the
unexpected termination of certain applications, such as
the GDM greeter. The bug has been fixed, and the
Taiwanese locale no longer causes applications to
terminate unexpectedly.

- When a file was initially selected after the GTK+ file
chooser dialog was opened and the Location field was
visible, pressing the Enter key did not open the file.
With this update, the initially selected file is opened
regardless of the visibility of the Location field.

- When a file was initially selected after the GTK+ file
chooser dialog was opened and the Location field was
visible, pressing the Enter key did not change into the
directory. With this update, the dialog changes into the
initially selected directory regardless of the
visibility of the Location field.

- Previously, the GTK Print dialog did not reflect the
user-defined printer preferences stored in the
~/.cups/lpoptions file, such as those set in the Default
Printer preferences panel. Consequently, the first
device in the printer list was always set as a default
printer. With this update, the underlying source code
has been enhanced to parse the option file. As a result,
the default values in the print dialog are set to those
previously specified by the user.

- The GTK+ file chooser did not properly handle saving of
nameless files. Consequently, attempting to save a file
without specifying a file name caused GTK+ to become
unresponsive. With this update, an explicit test for
this condition has been added into the underlying source
code. As a result, GTK+ no longer hangs in the described
scenario.

- When using certain graphics tablets, the GTK+ library
incorrectly translated the input coordinates.
Consequently, an offset occurred between the position of
the pen and the content drawn on the screen. This issue
was limited to the following configuration: a Wacom
tablet with input coordinates bound to a single monitor
in a dual head configuration, drawing with a pen with
the pressure sensitivity option enabled. With this
update, the coordinate translation method has been
changed, and the offset is no longer present in the
described configuration.

- Previously, performing drag and drop operations on tabs
in applications using the GtkNotebook widget could lead
to releasing the same resource twice. Eventually, this
behavior caused the applications to terminate with a
segmentation fault. This bug has been fixed, and the
applications using GtkNotebook no longer terminate in
the aforementioned scenario.

All users of GTK+ are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.

See also :

http://www.nessus.org/u?a42d7256

Solution :

Update the affected gtk2, gtk2-debuginfo and / or gtk2-devel packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 63595 ()

Bugtraq ID:

CVE ID: CVE-2012-2370