Note: This is an archival copy of Security Sun Alert 201606 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001205.1. |
Category Security Release Phase Resolved 5075227 Date of Workaround Release 06-AUG-2004 Date of Resolved Release 14-OCT-2004 Impact Multiple vulnerabilities in libpng(3) may allow a remote unprivileged user to execute arbitrary code with the privileges of a local user, when that local user has loaded a Portable Network Graphics (PNG) format image file (.png) supplied by an untrusted remote user. The PNG file may be picked up in email or loaded from an untrusted web site. Note: The Portable Network Graphics library (libpng(3)) is used to manipulate and display graphics. Many applications may have been dynamically linked to this library. This issue is described in the following documents: Technical Cyber Security Alert TA04-217A at http://www.us-cert.gov/cas/techalerts/TA04-217A.html Chris Evans Security Advisory 2004.1 at http://scary.beasts.org/security/CESA-2004-001.txt US-CERT Vulnerability Note VU#388984 at http://www.kb.cert.org/vuls/id/388984 US-CERT Vulnerability Note VU#817368 at http://www.kb.cert.org/vuls/id/817368 US-CERT Vulnerability Note VU#286464 at http://www.kb.cert.org/vuls/id/286484 US-CERT Vulnerability Note VU#477512 at http://www.kb.cert.org/vuls/id/477512 US-CERT Vulnerability Note VU#160448 at http://www.kb.cert.org/vuls/id/160448 US-CERT Vulnerability Note VU#236656 at http://www.kb.cert.org/vuls/id/236656 CVE CAN-2004-0597 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 Contributing Factors This issue can occur in the following releases: SPARC Platform
x86 Platform
Linux Platform
Note: Solaris 7 is not affected by this issue. To determine the version of GNOME that is currently installed on the system, run the following command (output will vary by platform): % grep description /usr/share/gnome/gnome-about/gnome-version.xml <description>fcs-10b</description> for GNOME 2.0 releases <description>2.0.0_patch-us2</description> or: <description>s9u4s-2_0_2-08</description> for GNOME 2.0.2 on SPARC <description>s9u4s-2_0_2_patch-18</description> or: <description>s9u4x-2_0_2-08</description> for GNOME 2.0.2 Intel <description>s9u4x-2_0_2_patch-18</description> Alternatively (for the same results), in a terminal window from within the GNOME desktop, the following command can be run: % /usr/bin/gnome-about To determine the release of JDS for Linux currently installed on your system, the following command can be run: % cat /etc/sun-release Sun Java Desktop System, Release 2 -build 10b (GA) Assembled 30 March 2004 Symptoms There are no reliable symptoms that would indicate the described issue has been exploited. Workaround There are two options to work around the described issue:
Resolution This issue is addressed in the following releases: SPARC Platform
Note: Both patches for GNOME 2.0 on Solaris 9 must be installed to resolve this issue (114818-06 is 32-bit; 114820-05 is 64-bit). x86 Platform
Linux Platform
To download and install the updated RPMs from the update servers, select the following from the "launch" bar: Launch >> Applications >> System Tools >> Online Update Modification History Date: 14-OCT-2004
Date: 18-AUG-2004
Product GNOME 2.0 Desktop References114816-02114817-02 114818-06 114819-06 114820-04 114822-04 Attachments This solution has no attachment |
|