---

Slackware Linux Advisories: imagemagick, Mozilla, sox, libpng

[slackware-security] imagemagick (SSA:2004-223-02)

New imagemagick packages are available for Slackware 9.1, 10.0,
and -current to fix security issues with PNG images.

More details about the issues with PNG may be found in the
Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599

Here are the details from the Slackware 10.0 ChangeLog:
+————————–+
Sat Aug 7 17:17:20 AKDT 2004
patches/packages/imagemagick-6.0.4_3-i486-1.tgz: Upgraded to
ImageMagick-6.0.4-3. Fixes PNG security issues.
(* Security fix *)
+————————–+

Where to find the new packages:

Updated package for Slackware 9.1:

ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/imagemagick-5.5.7_25-i486-1.tgz

Updated package for Slackware 10.0:

ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/imagemagick-6.0.4_3-i486-1.tgz

Updated package for Slackware -current:

ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/imagemagick-6.0.4_3-i486-1.tgz

MD5 signatures:

Slackware 9.1 package:
52903d349dcbaf3be88d19c8aa05dbbf
imagemagick-5.5.7_25-i486-1.tgz

Slackware 10.0 package:
ad5531a33331029dcc7013b72f8ec792 imagemagick-6.0.4_3-i486-1.tgz

Slackware -current package:
ad5531a33331029dcc7013b72f8ec792 imagemagick-6.0.4_3-i486-1.tgz

Installation instructions:

Upgrade the package as root:
# upgradepkg imagemagick-6.0.4_3-i486-1.tgz

+—–+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] Mozilla (SSA:2004-223-01)

New Mozilla packages are available for Slackware 9.1, 10.0, and
-current to fix a number of security issues. Slackware 10.0 and
-current were upgraded to Mozilla 1.7.2, and Slackware 9.1 was
upgraded to Mozilla 1.4.3. As usual, new versions of Mozilla
require new versions of things that link with the Mozilla
libraries, so for Slackware 10.0 and -current new versions of
epiphany, galeon, gaim, and mozilla-plugins have also been
provided. There don’t appear to be epiphany and galeon versions
that are compatible with Mozilla 1.4.3 and the GNOME in Slackware
9.1, so these are not provided and Epiphany and Galeon will be
broken on Slackware 9.1 if the new Mozilla package is installed.
Furthermore, earlier versions of Mozilla (such as the 1.3 series)
were not fixed upstream, so versions of Slackware earlier than 9.1
will remain vulnerable to these browser issues. If you still use
Slackware 9.0 or earlier, you may want to consider removing Mozilla
or upgrading to a newer version.

More details about these issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:

Issues fixed in Mozilla 1.7.2:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758

Issues fixed in Mozilla 1.4.3:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0757

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0759

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0760

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0761

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0762

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0764

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0765

Here are the details from the Slackware 10.0 ChangeLog:
+————————–+
Mon Aug 9 01:56:43 PDT 2004
patches/packages/epiphany-1.2.7-i486-1.tgz: Upgraded to
epiphany-1.2.7.
(compiled against Mozilla 1.7.2)
patches/packages/gaim-0.81-i486-1.tgz: Upgraded to gaim-0.81.
(compiled against Mozilla 1.7.2)
patches/packages/galeon-1.3.17-i486-1.tgz: Upgraded to
galeon-1.3.17.
(compiled against Mozilla 1.7.2)
patches/packages/mozilla-1.7.2-i486-1.tgz: Upgraded to Mozilla
1.7.2. This fixes three security vulnerabilities. For details,
see:

http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.2

(* Security fix *)
patches/packages/mozilla-plugins-1.7.2-noarch-1.tgz: Changed plugin
symlinks for Mozilla 1.7.2.
+————————–+

Where to find the new packages:

Updated packages for Slackware 9.1:

ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mozilla-1.4.3-i486-1.tgz


ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mozilla-plugins-1.4.3-noarch-1.tgz

Updated packages for Slackware 10.0:

ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mozilla-1.7.2-i486-1.tgz


ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mozilla-plugins-1.7.2-noarch-1.tgz


ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/epiphany-1.2.7-i486-1.tgz


ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/gaim-0.81-i486-1.tgz


ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/galeon-1.3.17-i486-1.tgz

Updated packages for Slackware -current:

ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-1.7.2-i486-1.tgz


ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-plugins-1.7.2-noarch-1.tgz


ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/gnome/epiphany-1.2.7-i486-1.tgz


ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/gnome/galeon-1.3.17-i486-1.tgz


ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/gaim-0.81-i486-1.tgz

MD5 signatures:

Slackware 9.1 packages:
29515193166b9b618be405a71b5e9a59 mozilla-1.4.3-i486-1.tgz
49d537be814de72a3d62a5cc9f6e3b15
mozilla-plugins-1.4.3-noarch-1.tgz

Slackware 10.0 packages:
612a65758f03fe08a44e004b1ae92d70 mozilla-1.7.2-i486-1.tgz
55da20d3c7acdd50a3b4abfe12191069
mozilla-plugins-1.7.2-noarch-1.tgz
86034039fbf6b52584e05701a0598ca4 epiphany-1.2.7-i486-1.tgz
c3f238fdba8684948d8817d7cf0db567 gaim-0.81-i486-1.tgz
0e8393b8f1b992dc7804fe925a839755 galeon-1.3.17-i486-1.tgz

Slackware -current packages:
612a65758f03fe08a44e004b1ae92d70 mozilla-1.7.2-i486-1.tgz
55da20d3c7acdd50a3b4abfe12191069
mozilla-plugins-1.7.2-noarch-1.tgz
86034039fbf6b52584e05701a0598ca4 epiphany-1.2.7-i486-1.tgz
0e8393b8f1b992dc7804fe925a839755 galeon-1.3.17-i486-1.tgz
ddb7281b985c6b7efb20afc69e5c2ffb gaim-0.81-i486-1.tgz

Installation instructions:

Upgrade the packages as root:
# upgradepkg mozilla-1.7.2-i486-1.tgz
mozilla-plugins-1.7.2-noarch-1.tgz
epiphany-1.2.7-i486-1.tgz
gaim-0.81-i486-1.tgz
galeon-1.3.17-i486-1.tgz

+—–+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] sox (SSA:2004-223-03)

New sox packages are available for Slackware 8.1, 9.0, 9.1,
10.0, and -current to fix buffer overflow security issues that
could allow a malicious WAV file to execute arbitrary code.

Here are the details from the Slackware 10.0 ChangeLog:
+————————–+
Sat Aug 7 17:17:20 AKDT 2004
patches/packages/sox-12.17.4-i486-3.tgz: Patched buffer overflows
that could allow a malicious WAV file to execute arbitrary
code.
(* Security fix *)
+————————–+

Where to find the new packages:

Updated package for Slackware 8.1:

ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/sox-12.17.4-i386-3.tgz

Updated package for Slackware 9.0:

ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/sox-12.17.4-i386-3.tgz

Updated package for Slackware 9.1:

ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/sox-12.17.4-i486-3.tgz

Updated package for Slackware 10.0:

ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/sox-12.17.4-i486-3.tgz

Updated package for Slackware -current:

ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/sox-12.17.4-i486-3.tgz

MD5 signatures:

Slackware 8.1 package:
08b8e2ba8d34b959c18130bbb44c2fcd sox-12.17.4-i386-3.tgz

Slackware 9.0 package:
3a206a1a0688b4bfd0f464bb40128339 sox-12.17.4-i386-3.tgz

Slackware 9.1 package:
13beadd4d7e48c19af71e3ffb6a0578e sox-12.17.4-i486-3.tgz

Slackware 10.0 package:
71919b40bcb0a6f3fc3c9361e0cdbc6f sox-12.17.4-i486-3.tgz

Slackware -current package:
71919b40bcb0a6f3fc3c9361e0cdbc6f sox-12.17.4-i486-3.tgz

Installation instructions:

Upgrade the package as root:
# upgradepkg sox-12.17.4-i486-3.tgz

+—–+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] libpng (SSA:2004-222-01)

New libpng packages are available for Slackware 8.1, 9.0, 9.1,
10.0, and -current to fix security issues. These issues could cause
program crashes, or possibly allow arbitrary code embedded in a
malicious PNG image to execute. The PNG library is widely used
within the system, so all sites should upgrade to the new libpng
package.

More details about these issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599

Here are the details from the Slackware 10.0 ChangeLog:
+————————–+
Sat Aug 7 17:17:20 PDT 2004
patches/packages/libpng-1.2.5-i486-3.tgz: Patched possible security
issues including buffer and integer overflows and null pointer
references. These issues could cause program crashes, or possibly
allow arbitrary code embedded in a malicious PNG image to execute.
The PNG library is widely used within the system, so all sites
should upgrade to the new libpng package.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599

(* Security fix *)
+————————–+

Where to find the new packages:

Updated package for Slackware 8.1:

ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/libpng-1.2.5-i386-1.tgz

Updated package for Slackware 9.0:

ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/libpng-1.2.5-i486-3.tgz

Updated package for Slackware 9.1:

ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/libpng-1.2.5-i486-3.tgz

Updated package for Slackware 10.0:

ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/libpng-1.2.5-i486-3.tgz

Updated package for Slackware -current:

ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libpng-1.2.5-i486-3.tgz

MD5 signatures:

Slackware 8.1 package:
be08f3ea7e8b41a3fd7ce49a676617e0 libpng-1.2.5-i386-1.tgz

Slackware 9.0 package:
6a7ab390a92dbd28f77a5780be2b5ac1 libpng-1.2.5-i486-3.tgz

Slackware 9.1 package:
4fcf53708102839f3cac78a99d05e750 libpng-1.2.5-i486-3.tgz

Slackware 10.0 package:
094a9825c51204a9aa2cb0bbb43b7a64 libpng-1.2.5-i486-3.tgz

Slackware -current package:
094a9825c51204a9aa2cb0bbb43b7a64 libpng-1.2.5-i486-3.tgz

Installation instructions:

Upgrade the package as root:
# upgradepkg libpng-1.2.5-i486-3.tgz

+—–+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis