U radu programskog paketa feh uočena su dva propusta čijim iskorištavanjem može doći do pokretanja proizvoljnih naredbi i prepisivanja određenih dokumenata.
| Paket: | feh , feh 1.x |
| Operacijski sustavi: | Fedora 14, Fedora 15 |
| Kritičnost: | 4.8 |
| Problem: | pogreška u programskoj funkciji |
| Iskorištavanje: | lokalno |
| Posljedica: | dobivanje većih privilegija, pokretanje proizvoljnih naredbi |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2011-0702, CVE-2010-2246 |
| Izvorni ID preporuke: | FEDORA-2011-8750 |
| Izvor: | Fedora |
| Problem: | |
| Prvi propust se javlja u radu "feh_unique_filename()" funkcije, a drugi prilikom omogućene "-- wget - timestamp" opcije. |
|
| Posljedica: | |
| Posljedice propusta su prepisivanje proizvoljnih dokumenata te izvođenje proizvoljnih naredbi. |
|
| Rješenje: | |
| Svim se korisnicima preporuča nadogradnja na poboljšane programske inačice. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-8750
2011-06-26 18:32:14
--------------------------------------------------------------------------------
Name : feh
Product : Fedora 15
Version : 1.14.1
Release : 1.fc15
URL : https://derf.homelinux.org/projects/feh/
Summary : Fast command line image viewer using Imlib2
Description :
feh is a versatile and fast image viewer using imlib2, the
premier image file handling library. feh has many features,
from simple single file viewing, to multiple file modes using
a slide-show or multiple windows. feh supports the creation of
montages as index prints with many user-configurable options.
--------------------------------------------------------------------------------
Update Information:
Changes since 0.10.1:
- Bug fixes
* Make zoom_default key work properly with --geometry
* Only create caption directory when actually writing out a caption.
<http://github.com/derf/feh/issues/42>
* read directory contents sorted by filename instead of 'randomly'
(as returned by readdir) by default. Thanks talisein!
<https://github.com/derf/feh/pull/20>
* Show certain warnings in the image window as well as on the commandline
<http://github.com/derf/feh/issues/43>
* Change a patch for NETWM fullscreen support to only apply to fullscreen
windows. This fixes the moving windows bug in fluxbox (since fluxbox
doesn't report its window border width).
<http://github.com/derf/feh/issues/22>
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570903>
* Minor manpage fixes.
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625683>
* Fix --auto-zoom / --zoom max/fill documentation, the "Auto-Zoom" menu
option is now always checked when these options are used
* Set _NET_WM_NAME and _NET_WM_ICON_NAME properties
<http://github.com/derf/feh/issues/44>
* The zoom_default key now works fine with --scale-down
<http://github.com/derf/feh/issues/41>
* Fix access of uninitialized memory / malloc/realloc clash in continued
theme definition handling. Having a theme line with just one
option/value pair used to produce undefined behaviour
* Fix segfault upon unloadable images when image-related format specifiers
(e.g. %h) are used in --title
* Fix Imlib2 caching bug in reload (only worked after the second try)
* Show correct image dimensions in for cached thumbnails
* Fix zooming when --scale-down is used
* Make in/out zoom use equal zoom ratio
- Behavior changes/compatability
* --menu-style is now deprecated
* The --menu-bg option has been deprecated. It will be removed along with
--menu-style by the end of 2012.
<http://github.com/derf/feh/issues/27>
* Since the manual is way better structured and more detailed than the
--help output, it now simply refers to the manual.
* The 'A' key (toggle_aliasing) now actually changes the current window,
and not just the default for new windows
* Show images in current directory when invoked without file arguments
* The --bg options are now Xinerama-aware. That is, they set the image in
the respective mode (scale/fill/max/center) on each Xinerama screen. Use
--no-xinerama to disable this.
* Add --zoom fill as equivalent for --auto-zoom
* Remove builtin http client (--builtin)
* http images are now viewed using libcurl, not wget (thanks to talisein)
This adds libcurl as dependency, and removes the wget recommendation
* Allow commandline options to override those set in a theme
* Remove support for FEH_OPTIONS (was deprecated >5 years ago)
* Restrict available modifiers to Control/Mod1/Mod4
* The themes are now read from ~/.config/feh/themes (BC for .fehrc exists)
* Key bindings can now be configured via ~/.config/feh/keys
* Removes --rcpath, use XDG_CONFIG_HOME instead
* Increase movement steps for Ctrl+Left etc.
- Features
* You can now use the next/prev/jump keys to navigate thumbnails. Use the
render key to open the currently selected thumbnail.
<http://github.com/derf/feh/issues/26>
* Option to disable antialiasing, either global (--force-aliasing) or per
image (press 'A' to toggle, keybinding toggle_aliasing)
* Use SIGUSR1/SIGUSR2 to reload all images in multiwindow mode
* Add --zoom max (zooming like in --bg-max)
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jun 24 2011 Ben Boeckel <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.14.1-1
- Update to 1.14.1
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #676389 - CVE-2011-0702 feh: arbitrary file overwrite vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=676389
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update feh' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-8747
2011-06-26 18:32:08
--------------------------------------------------------------------------------
Name : feh
Product : Fedora 14
Version : 1.14.1
Release : 1.fc14
URL : https://derf.homelinux.org/projects/feh/
Summary : Fast command line image viewer using Imlib2
Description :
feh is a versatile and fast image viewer using imlib2, the
premier image file handling library. feh has many features,
from simple single file viewing, to multiple file modes using
a slide-show or multiple windows. feh supports the creation of
montages as index prints with many user-configurable options.
--------------------------------------------------------------------------------
Update Information:
Changes since 0.10.1:
- Bug fixes
* Make zoom_default key work properly with --geometry
* Only create caption directory when actually writing out a caption.
<http://github.com/derf/feh/issues/42>
* read directory contents sorted by filename instead of 'randomly'
(as returned by readdir) by default. Thanks talisein!
<https://github.com/derf/feh/pull/20>
* Show certain warnings in the image window as well as on the commandline
<http://github.com/derf/feh/issues/43>
* Change a patch for NETWM fullscreen support to only apply to fullscreen
windows. This fixes the moving windows bug in fluxbox (since fluxbox
doesn't report its window border width).
<http://github.com/derf/feh/issues/22>
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570903>
* Minor manpage fixes.
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625683>
* Fix --auto-zoom / --zoom max/fill documentation, the "Auto-Zoom" menu
option is now always checked when these options are used
* Set _NET_WM_NAME and _NET_WM_ICON_NAME properties
<http://github.com/derf/feh/issues/44>
* The zoom_default key now works fine with --scale-down
<http://github.com/derf/feh/issues/41>
* Fix access of uninitialized memory / malloc/realloc clash in continued
theme definition handling. Having a theme line with just one
option/value pair used to produce undefined behaviour
* Fix segfault upon unloadable images when image-related format specifiers
(e.g. %h) are used in --title
* Fix Imlib2 caching bug in reload (only worked after the second try)
* Show correct image dimensions in for cached thumbnails
* Fix zooming when --scale-down is used
* Make in/out zoom use equal zoom ratio
- Behavior changes/compatability
* --menu-style is now deprecated
* The --menu-bg option has been deprecated. It will be removed along with
--menu-style by the end of 2012.
<http://github.com/derf/feh/issues/27>
* Since the manual is way better structured and more detailed than the
--help output, it now simply refers to the manual.
* The 'A' key (toggle_aliasing) now actually changes the current window,
and not just the default for new windows
* Show images in current directory when invoked without file arguments
* The --bg options are now Xinerama-aware. That is, they set the image in
the respective mode (scale/fill/max/center) on each Xinerama screen. Use
--no-xinerama to disable this.
* Add --zoom fill as equivalent for --auto-zoom
* Remove builtin http client (--builtin)
* http images are now viewed using libcurl, not wget (thanks to talisein)
This adds libcurl as dependency, and removes the wget recommendation
* Allow commandline options to override those set in a theme
* Remove support for FEH_OPTIONS (was deprecated >5 years ago)
* Restrict available modifiers to Control/Mod1/Mod4
* The themes are now read from ~/.config/feh/themes (BC for .fehrc exists)
* Key bindings can now be configured via ~/.config/feh/keys
* Removes --rcpath, use XDG_CONFIG_HOME instead
* Increase movement steps for Ctrl+Left etc.
- Features
* You can now use the next/prev/jump keys to navigate thumbnails. Use the
render key to open the currently selected thumbnail.
<http://github.com/derf/feh/issues/26>
* Option to disable antialiasing, either global (--force-aliasing) or per
image (press 'A' to toggle, keybinding toggle_aliasing)
* Use SIGUSR1/SIGUSR2 to reload all images in multiwindow mode
* Add --zoom max (zooming like in --bg-max)
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jun 24 2011 Ben Boeckel <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.14.1-1
- Update to 1.14.1
* Tue Feb 8 2011 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.10.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Wed Dec 29 2010 Andrew Potter <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.10.1-1
- New upstream release
- Closes CVE-2010-2246 by removing option -G, --wget-timestamp
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #676389 - CVE-2011-0702 feh: arbitrary file overwrite vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=676389
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update feh' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
7c
Posljednje sigurnosne preporuke