Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 19467

Summary: gnome-extra/gtkhtml
Product: Gentoo Security Reporter: Daniel Ahlberg (RETIRED) <aliz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: gnome
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-04-17 05:48:58 UTC 
MDKSA-2003:046 - Updated gtkhtml packages fix vulnerability 
 
From:  
Mandrake Linux Security Team <security@linux-mandrake.com> 
 
 
To:  
announce@mandrakesecure.net 
 
 
Date:  
Tuesday 17.13.41 
 
 
 
Message was signed with unknown key 0x22458A98. 
The validity of the signature cannot be verified. 
 
 
________________________________________________________________________ 
 
                Mandrake Linux Security Update Advisory 
________________________________________________________________________ 
 
Package name:           gtkhtml 
Advisory ID:            MDKSA-2003:046 
Date:                   April 15th, 2003 
 
Affected versions:      9.1 
________________________________________________________________________ 
 
Problem Description: 
 
 A vulnerability in GtkHTML was discovered by Alan Cox with the 
 Evolution email client.  GtkHTML is used to handle HTML messages in 
 Evolution and certain malformed messages could cause Evolution to 
 crash due to this bug. 
________________________________________________________________________ 
 
References: 
 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0133 
________________________________________________________________________ 
 
Updated Packages: 
 
 Mandrake Linux 9.1: 
 0d70ee8b14894ca33b7861a72b0475d0  9.1/RPMS/gtkhtml-1.1.10-2.1mdk.i586.rpm 
 cfe7ed73a2dbda67027ae098c7ff4c30  9.1/RPMS/libgtkhtml1.1_3-1.1.10-2.1mdk.i586.rpm 
 ccf63beed4742e7a094998ed9462ef2d  9.1/RPMS/libgtkhtml1.1_3-devel-1.1.10-2.1mdk.i586.rpm 
 7af29a0d5de7a701f99b2eeb35b60129  9.1/SRPMS/gtkhtml-1.1.10-2.1mdk.src.rpm 
 
 Mandrake Linux 9.1/PPC: 
 7b18625abf51ac3379ac808491532987  ppc/9.1/RPMS/gtkhtml-1.1.10-2.1mdk.ppc.rpm 
 9d1e27cfc17c805f6b1fb5ed7798d33b  ppc/9.1/RPMS/libgtkhtml1.1_3-1.1.10-2.1mdk.ppc.rpm 
 aea147d9be293b64768f93f225c2fa3a 
 ppc/9.1/RPMS/libgtkhtml1.1_3-devel-1.1.10-2.1mdk.ppc.rpm 
 7af29a0d5de7a701f99b2eeb35b60129  ppc/9.1/SRPMS/gtkhtml-1.1.10-2.1mdk.src.rpm 
________________________________________________________________________ 
 
Bug IDs fixed (see https://qa.mandrakesoft.com for more information): 
________________________________________________________________________ 
 
To upgrade automatically, use MandrakeUpdate.  The verification of md5 
checksums and GPG signatures is performed automatically for you. 
 
If you want to upgrade manually, download the updated package from one 
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of 
FTP mirrors can be obtained from: 
 
  http://www.mandrakesecure.net/en/ftp.php 
 
Please verify the update prior to upgrading to ensure the integrity of 
the downloaded package.  You can do this with the command: 
 
  rpm --checksig <filename> 
 
All packages are signed by MandrakeSoft for security.  You can obtain 
the GPG public key of the Mandrake Linux Security Team from: 
 
  https://www.mandrakesecure.net/RPM-GPG-KEYS 
 
Please be aware that sometimes it takes the mirrors a few hours to 
update. 
 
You can view other update advisories for Mandrake Linux at: 
 
  http://www.mandrakesecure.net/en/advisories/ 
 
MandrakeSoft has several security-related mailing list services that 
anyone can subscribe to.  Information on these lists can be obtained by 
visiting: 
 
  http://www.mandrakesecure.net/en/mlist.php 
 
If you want to report vulnerabilities, please contact 
 
  security_linux-mandrake.com 
 
Type Bits/KeyID     Date       User ID 
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team 
  <security linux-mandrake.com> 
 
-----BEGIN PGP PUBLIC KEY BLOCK----- 
Version: GnuPG v1.0.7 (GNU/Linux) 
 
mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday 
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo 
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl 
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx 
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs 
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD 
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu 
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t 
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy 
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA 
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP 
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w 
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA 
BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H 
8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K 
+jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy 
YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j 
b20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+ 
AJsHhohgnU3ik4+gy3EdFlB2i/MBoACg6lHn5cnVvTcmgNccWxeNxLLZI5e5AQ0E 
OWnn7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ 
9F779FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzR 
xBXVJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z 
269s+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN 
6SCXVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZ 
jTcl3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo 
0NAiRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJ 
EJGXlA== 
=yGlX 
-----END PGP PUBLIC KEY BLOCK----- 
 
 
 
End of signed message
Comment 1 solar (RETIRED) gentoo-dev 2003-09-21 23:16:12 UTC 
Gnome herd can you please confirm/debunk/fix this one.

Looks like this one still might need some fixing.

gnome-extra/libgtkhtml-3.0.8-r2
gnome-extra/gtkhtml-1.1.10
Comment 2 foser (RETIRED) gentoo-dev 2003-09-22 04:47:04 UTC 
hmm i saw a more comprehensive description of this problem yesterday, there it said the problem had been fixed in gtkhtml-1.1.10 . I removed the 1.1.8 we still had around from the tree.

So i think if we announce that everyone should upgrade to 1.1.10 we should be fine.

I'll have a look if i can find that other reference somewhere.

libgtkhtml is different (later) branches of gtkhtml-1 and should be unaffected (at least it is not mentioned anywhere in these advisories)
Comment 3 foser (RETIRED) gentoo-dev 2003-10-05 02:47:52 UTC 
http://rhn.redhat.com/errata/RHSA-2003-264.html

might be another problem (?) but the referenced RH link from the initial
problem suggests it was supersed by the link i just pasted.
Comment 4 Aida Escriva-Sammer (RETIRED) gentoo-dev 2004-03-19 13:50:51 UTC 
Could someone on the Gnome team remove 1.1.8 from portage so we can squash this antique bug?
Comment 5 foser (RETIRED) gentoo-dev 2004-03-19 23:51:42 UTC 
done
Comment 6 Aida Escriva-Sammer (RETIRED) gentoo-dev 2004-03-20 08:42:01 UTC 
Vulerable package removed - bug closed.