[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Briefing - 567/2004 - Three Gentoo Security Advisories:



1.
 GLSA 200410-11 - tiff: Buffer overflows in image decoding
2. GLSA 200410-10
 - gettext: Insecure temporary file handling
3. GLSA 200410-09 - LessTif:
 Integer and stack overflows in libXpm
Mime-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_14_1702990.1097764199247"

------=_Part_14_1702990.1097764199247
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                  UNIRAS (UK Gov CERT)
                                Advisory Type: Briefing

Id: 20041014-00768               Ref: 567/2004             Date: 14 October 2004   Time: 15:26
- ------------------------------------------------------------------------------------------
Title: Three Gentoo Security Advisories:
1. GLSA 200410-11 - tiff: Buffer overflows in image decoding
2. GLSA 200410-10 - gettext: Insecure temporary file handling
3. GLSA 200410-09 - LessTif: Integer and stack overflows in libXpm


Abstract: 1. Multiple heap-based overflows have been found in the tiff library image decoding 
routines, potentially allowing to execute arbitrary code with the rights of the user 
viewing a malicious image.

2. The gettext utility is vulnerable to symlink attacks, potentially allowing a local 
user to overwrite or change permissions on arbitrary files with the rights of the user 
running gettext, which could be the root user.

3. Chris Evans has discovered various integer and stack overflows in libXpm, which 
is shipped as a part of the X Window System. LessTif, an application that includes 
this library, is susceptible to the same issues.


- ------------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------------
Title
=====

Three Gentoo Security Advisories:

1. GLSA 200410-11 - tiff: Buffer overflows in image decoding

2. GLSA 200410-10 - gettext: Insecure temporary file handling

3. GLSA 200410-09 - LessTif: Integer and stack overflows in libXpm

Detail
====== 

1. Multiple heap-based overflows have been found in the tiff library image decoding 
routines, potentially allowing to execute arbitrary code with the rights of the user 
viewing a malicious image.

2. The gettext utility is vulnerable to symlink attacks, potentially allowing a local 
user to overwrite or change permissions on arbitrary files with the rights of the user 
running gettext, which could be the root user.

3. Chris Evans has discovered various integer and stack overflows in libXpm, which 
is shipped as a part of the X Window System. LessTif, an application that includes 
this library, is susceptible to the same issues.



1.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: tiff: Buffer overflows in image decoding
      Date: October 13, 2004
        ID: 200410-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple heap-based overflows have been found in the tiff library image decoding 
routines, potentially allowing to execute arbitrary code with the rights of the 
user viewing a malicious image.

Background
==========

The tiff library contains encoding and decoding routines for the Tag Image File 
Format. It is called by numerous programs, including GNOME and KDE, to help in 
displaying TIFF images. xv is a multi-format image manipulation utility that is 
statically linked to the tiff library.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /   Vulnerable   /                    Unaffected
    -------------------------------------------------------------------
  1  media-libs/tiff      < 3.6.1-r2                       >= 3.6.1-r2
  2  media-gfx/xv         <= 3.10a-r7                      >= 3.10a-r8
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

Chris Evans found heap-based overflows in RLE decoding routines in tif_next.c, 
tif_thunder.c and potentially tif_luv.c.

Impact
======

A remote attacker could entice a user to view a carefully crafted TIFF image file, 
which would potentially lead to execution of arbitrary code with the rights of 
the user viewing the image. This affects any program that makes use of the tiff 
library, including GNOME and KDE web browsers or mail readers.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All tiff library users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=media-libs/tiff-3.6.1-r2"
    # emerge ">=media-libs/tiff-3.6.1-r2"

xv makes use of the tiff library and needs to be recompiled to receive the new 
patched version of the library. All xv users should also upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=media-gfx/xv-3.10a-r8"
    # emerge ">=media-gfx/xv-3.10a-r8"

References
==========

  [ 1 ] CAN-2004-0803
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-11.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and 
security of our users machines is of utmost importance to us. Any security concerns 
should be addressed to security@xxxxxxxxxx or alternatively, you may file a 
bug at http://bugs.gentoo.org.


License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0



2.



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: gettext: Insecure temporary file handling
      Date: October 10, 2004
      Bugs: #66355
        ID: 200410-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The gettext utility is vulnerable to symlink attacks, potentially allowing a 
local user to overwrite or change permissions on arbitrary files with the rights 
of the user running gettext, which could be the root user.

Background
==========

gettext is a set of utilities for the GNU Translation Project which provides a 
set of tools and documentation to help produce multi-lingual messages in programs.

Affected packages
=================

    -------------------------------------------------------------------
     Package            /   Vulnerable   /                  Unaffected
    -------------------------------------------------------------------
  1  sys-devel/gettext      < 0.12.1-r2                   >= 0.12.1-r2

Description
===========

gettext insecurely creates temporary files in world-writeable directories with 
predictable names.

Impact
======

A local attacker could create symbolic links in the temporary files directory, 
pointing to a valid file somewhere on the filesystem. When gettext is called, 
this would result in file access with the rights of the user running the utility, 
which could be the root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All gettext users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=sys-devel/gettext-0.12.1-r2"
    # emerge ">=sys-devel/gettext-0.12.1.-r2"

References
==========

  [ 1 ] BugTraq Advisory
        http://www.securityfocus.com/advisories/7263

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-10.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and 
security of our users machines is of utmost importance to us. Any security 
concerns should be addressed to security@xxxxxxxxxx or alternatively, you may 
file a bug at http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0




3.  



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: LessTif: Integer and stack overflows in libXpm
      Date: October 09, 2004
      Bugs: #66647
        ID: 200410-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in libXpm, which is included in 
LessTif, that can potentially lead to remote code execution.

Background
==========

LessTif is a clone of OSF/Motif, which is the standard user interface toolkit 
available on Unix and Linux.

Affected packages
=================

    -------------------------------------------------------------------
     Package           /  Vulnerable  /                     Unaffected
    -------------------------------------------------------------------
  1  x11-libs/lesstif      < 0.93.97                        >= 0.93.97

Description
===========

Chris Evans has discovered various integer and stack overflows in libXpm, which is 
shipped as a part of the X Window System. LessTif, an application that includes this 
library, is susceptible to the same issues.

Impact
======

A carefully-crafted XPM file could crash applications that are linked against libXpm, 
such as LessTif, potentially allowing the execution of arbitrary code with the 
privileges of the user running the application.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All LessTif users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=x11-libs/lesstif-0.93.97"
    # emerge ">=x11-libs/lesstif-0.93.97"

References
==========

  [ 1 ] CAN-2004-0687
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687
  [ 2 ] CAN-2004-0688
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688
  [ 3 ] GLSA-200409-34
        http://www.gentoo.org/security/en/glsa/glsa-200409-34.xml
  [ 4 ] LessTif Release Notes
        http://www.lesstif.org/ReleaseNotes.html

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-09.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality 
and security of our users machines is of utmost importance to us. Any security 
concerns should be addressed to security@xxxxxxxxxx or alternatively, you may 
file a bug at http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0



- ----------------------------------------------------------------------------------
Acknowledgements

UNIRAS wishes to acknowledge the contributions of Gentoo for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
Digital Signature

This advisory has been digitally signed by GnuGP so that its readership
is able to confirm its integrity. The NISCC Public key is available
from http://www.niscc.gov.uk/niscc/faq-en.html.

NB: This is currently the sole purpose for this particular key, if you
need to send Not Protectively Marked or sensitive material to UNIRAS then
its PGP Public Key should be used and this is also available from
http://www.niscc.gov.uk/niscc/faq-en.html.
- ----------------------------------------------------------------------------------
Updates

This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.
- ----------------------------------------------------------------------------------
Legal Disclaimer

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.
- ----------------------------------------------------------------------------------
FIRST

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large.
- ----------------------------------------------------------------------------------
Contacts

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBbo1nu3T4tp2zMUkRAscrAKCxkzmvDpGjSs1ihXL7Mmr8bfCJ0ACePZLf
gprBPBf5is1OgWgelBo0iFo=
=Dlk5
-----END PGP SIGNATURE-----

------=_Part_14_1702990.1097764199247--