search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Utah Raster Toolkit contains multiple vulnerabilities

Vulnerability Note VU#378049

Original Release Date: 2003-03-17 | Last Revised: 2003-04-03

Overview

The Utah Raster Toolkit is a graphics library/utility. Several vulnerabilities have been reported in the Utah Raster Toolkit.

Description

The Utah Raster Toolkit is a graphics library/utility. Several vulnerabilities have been reported in the Utah Raster Toolkit.

Impact

The complete impact of these vulnerability is not yet known. These vulnerabilities may be used to cause a denial of service situation or permit the execution of code.

Solution

Please see your vendor notification for a vendor specific patch.

Vendor Information

378049
 
Expand all

Debian Affected

Updated:  March 17, 2003

Status

Affected

Vendor Statement

Please see http://www.debian.org/security/2003/dsa-263.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Affected

Updated:  April 03, 2003

Status

Affected

Vendor Statement

Red Hat Linux and Red Hat Enterprise Linux ship with a NetPBM package vulnerable to these issues. Updated NetPBM packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.

Red Hat Enterprise Linux:

Red Hat Linux:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Utah Raster Toolkit Affected

Notified:  February 13, 2003 Updated: March 17, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc. Not Affected

Updated:  March 17, 2003

Status

Not Affected

Vendor Statement

Mac OS X and Mac OS X Server do not contain the vulnerabilities described in this report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Not Affected

Updated:  March 17, 2003

Status

Not Affected

Vendor Statement

Fujitsu's UXP/V o.s. does not support the Utah Raster Toolkit or netpbm, so it is not vulnerable to the vulnerabilities reported in this VU report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Not Affected

Updated:  March 17, 2003

Status

Not Affected

Vendor Statement

-------------------------------------
Source:
Hewlett-Packard Company
Software Security Response Team

  HP-UX         - not vulnerable
 HP-MPE/ix     - not vulnerable
 HP Tru64 UNIX - not vulnerable
 HP OpenVMS    - not vulnerable
 HP NonStop Servers - not vulnerable

To report potential security vulnerabilities in HP software,
send an E-mail message to: mailto:security-alert@hp.com


--------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks Not Affected

Updated:  March 17, 2003

Status

Not Affected

Vendor Statement

Ingrian Networks products are not vulnerable to VU#378049 or VU#630433.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation Not Affected

Updated:  March 17, 2003

Status

Not Affected

Vendor Statement

Microsoft has confirmed this issue does not affect our software.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Alan Cox for reporting this vulnerability and creating the initial fixes and to Al Viro for discovering the original flaw. We also thank Martin Schulze and Sebastian Kramer provided additional fixes to the patches.

This document was written by Jason A Rafail.

Other Information

CVE IDs: None
Severity Metric: 5.03
Date Public: 2003-02-28
Date First Published: 2003-03-17
Date Last Updated: 2003-04-03 21:35 UTC
Document Revision: 4

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis