Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections: Developer - High Performance - Infrastructure - IT Management - Security - Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs

Partner Sites
JustLinux.com
Linux Planet
PHPBuilder
Technology Jobs

Top White Papers

Current Newswire:

More on LinuxToday

Applications Management Engineer Sr (NYC)
Next Step Systems
US-NY-New York

Justtechjobs.com Post A Job | Post A Resume

SOT Linux Advisory: xfree86

Feb 23, 2004, 19:44 (0 Talkback[s])

SOT Linux Security Advisory

Subject: Updated XFree86 package for SOT Linux 2003
Advisory ID: SLSA-2004:3
Date: Sunday, February 22, 2004
Product: SOT Linux 2003

1. Problem description

XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers.

iDefense discovered two buffer overflows in the parsing of the 'font.alias' file. A local attacker could exploit this vulnerability by creating a carefully-crafted file and gaining root privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the names CAN-2004-0083 and CAN-2004-0084 to these issues.

Additionally David Dawes discovered additional flaws in reading font files. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0106 to these issues.

All users of XFree86 are advised to upgrade to these erratum packages, which contain a backported fix and are not vulnerable to these issues.

2. Updated packages

SOT Linux 2003 Desktop:

i386:
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-100dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-75dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-cyrillic-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-devel-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-ISO8859-15-100dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-ISO8859-15-75dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-ISO8859-2-100dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-ISO8859-2-75dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-ISO8859-9-100dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Desktop/i386/XFree86-ISO8859-9-75dpi-fonts-4.2.99.3-5.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/XFree86-4.2.99.3-5.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-100dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-75dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-cyrillic-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-devel-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-ISO8859-15-100dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-ISO8859-15-75dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-ISO8859-2-100dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-ISO8859-2-75dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-ISO8859-9-100dpi-fonts-4.2.99.3-5.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/XFree86-ISO8859-9-75dpi-fonts-4.2.99.3-5.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/XFree86-4.2.99.3-5.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum

/Desktop/i386/XFree86-100dpi-fonts-4.2.99.3-5.i386.rpm 43ce6357e29863cab6b21bd20f73b5f3
/Desktop/i386/XFree86-4.2.99.3-5.i386.rpm b6bc1628addeef177d2749fc36f9047f
/Desktop/i386/XFree86-75dpi-fonts-4.2.99.3-5.i386.rpm 9655ca51e11f9a42d06e0ec4255d20e3
/Desktop/i386/XFree86-ISO8859-15-100dpi-fonts-4.2.99.3-5.i386.rpm 4a15ff9438ed4e52001c9eb97f863eb1
/Desktop/i386/XFree86-ISO8859-15-75dpi-fonts-4.2.99.3-5.i386.rpm b0afe411d0e3837735b49fbecb9d0f46
/Desktop/i386/XFree86-ISO8859-2-100dpi-fonts-4.2.99.3-5.i386.rpm df05e2ff1a7d7c060a678a88768b8356
/Desktop/i386/XFree86-ISO8859-2-75dpi-fonts-4.2.99.3-5.i386.rpm ded7a3e3ed3bc0e6641406fc19d63669
/Desktop/i386/XFree86-ISO8859-9-100dpi-fonts-4.2.99.3-5.i386.rpm 8ad9eab70d816b507c1c9c33dce73102
/Desktop/i386/XFree86-ISO8859-9-75dpi-fonts-4.2.99.3-5.i386.rpm 94324114b35090d35b493e694979f899
/Desktop/i386/XFree86-cyrillic-fonts-4.2.99.3-5.i386.rpm e1ee85c406aff689310712918cae55a1
/Desktop/i386/XFree86-devel-4.2.99.3-5.i386.rpm 2d8ebae4ee1847fca3dbfd34c814a733
/Desktop/SRPMS/XFree86-4.2.99.3-5.src.rpm 87a4744ba85b43e00a9eb41896d0f412
/Server/i386/XFree86-100dpi-fonts-4.2.99.3-5.i386.rpm 43ce6357e29863cab6b21bd20f73b5f3
/Server/i386/XFree86-4.2.99.3-5.i386.rpm b6bc1628addeef177d2749fc36f9047f
/Server/i386/XFree86-75dpi-fonts-4.2.99.3-5.i386.rpm 9655ca51e11f9a42d06e0ec4255d20e3
/Server/i386/XFree86-ISO8859-15-100dpi-fonts-4.2.99.3-5.i386.rpm 4a15ff9438ed4e52001c9eb97f863eb1
/Server/i386/XFree86-ISO8859-15-75dpi-fonts-4.2.99.3-5.i386.rpm b0afe411d0e3837735b49fbecb9d0f46
/Server/i386/XFree86-ISO8859-2-100dpi-fonts-4.2.99.3-5.i386.rpm df05e2ff1a7d7c060a678a88768b8356
/Server/i386/XFree86-ISO8859-2-75dpi-fonts-4.2.99.3-5.i386.rpm ded7a3e3ed3bc0e6641406fc19d63669
/Server/i386/XFree86-ISO8859-9-100dpi-fonts-4.2.99.3-5.i386.rpm 8ad9eab70d816b507c1c9c33dce73102
/Server/i386/XFree86-ISO8859-9-75dpi-fonts-4.2.99.3-5.i386.rpm 94324114b35090d35b493e694979f899
/Server/i386/XFree86-cyrillic-fonts-4.2.99.3-5.i386.rpm e1ee85c406aff689310712918cae55a1
/Server/i386/XFree86-devel-4.2.99.3-5.i386.rpm 2d8ebae4ee1847fca3dbfd34c814a733
/Server/SRPMS/XFree86-4.2.99.3-5.src.rpm 87a4744ba85b43e00a9eb41896d0f412

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084
http://www.xfree86.org/security/

Copyright(c) 2001-2003 SOT