dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


LBA-Linux Advisories: mozilla, cdrecord, imlib

Sep 16, 2004, 15:14 (0 Talkback[s])

LBA-Linux Security Advisory

Subject: Updated mozilla package for LBA-Linux R1
Advisory ID: LBASA-2004:32
Date: Sunday, September 12, 2004
Product: LBA-Linux R1


Problem description:

During a source code audit, Chris Evans discovered a buffer overflow and integer overflows which affect the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed. (CAN-2004-0597, CAN-2004-0599)

Updated packages:

LBA-Linux R1:

i386:
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mozilla-1.6-1.lba.5.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mozilla-devel-1.6-1.lba.5.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mozilla-dom-inspector-1.6-1.lba.5.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mozilla-js-debugger-1.6-1.lba.5.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mozilla-mail-1.6-1.lba.5.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mozilla-nspr-1.6-1.lba.5.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mozilla-nspr-devel-1.6-1.lba.5.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mozilla-nss-1.6-1.lba.5.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mozilla-nss-devel-1.6-1.lba.5.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named mozilla to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater's main toolbar.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599

Copyright(c) 2001-2004 SOT


LBA-Linux Security Advisory

Subject: Updated cdrecord package for LBA-Linux R1
Advisory ID: LBASA-2004:33
Date: Tuesday, September 14, 2004
Product: LBA-Linux R1


Problem description:

Max Vozeler found that the cdrecord program, which is suid root, fails to drop euid=0 when it exec()s a program specified by the user through the $RSH environment variable. This can be abused by a local attacker to obtain root privileges.

Updated packages:

LBA-Linux R1:

i386:
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/cdda2wav-2.01-0.lba.1.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/cdrecord-2.01-0.lba.1.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/cdrecord-devel-2.01-0.lba.1.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mkisofs-2.01-0.lba.1.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named cdrecord to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater's main toolbar.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0806

Copyright(c) 2001-2004 SOT


LBA-Linux Security Advisory

Subject: Updated imlib package for LBA-Linux R1
Advisory ID: LBASA-2004:35
Date: Wednesday, September 15, 2004
Product: LBA-Linux R1


Problem description:

Several heap overflow vulnerabilities have been found in the imlib BMP image handler. An attacker could create a carefully crafted BMP file in such a way that it would cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0817 to this issue.

Updated packages:

LBA-Linux R1:

i386:
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/imlib-1.9.13-15.lba.2.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/imlib-cfgeditor-1.9.13-15.lba.2.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/imlib-devel-1.9.13-15.lba.2.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named imlib to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater's main toolbar.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0817

Copyright(c) 2001-2004 SOT