Trustix Secure Linux Advisory: libxml2, postgresql

Trustix Secure Linux Security Advisory #2004-0055

Package name: libxml2, postgresql
Summary: multiple security issues
Date: 2004-10-29
Affected versions: Trustix Secure Linux 2.0 Trustix Secure Linux
2.1 Trustix Operating System – Enterprise Server 2

Package description:
libxml2:
This library allows to manipulate XML files. It includes support to
read, modify and write XML and HTML files.

postgresql:
PostgreSQL is an advanced Object-Relational database management
system (DBMS) that supports almost all SQL constructs (including
transactions, subselects and user-defined types and functions).

Problem description:
libxml2:
Sean <infamous41md at hotpop.com> reported the following
issues to Bugtraq:

1)There is a buffer overflow when parsing a URL with ftp
information in it. A loop incorrectly copies data from a user
supplied buffer into a finite stack buffer with no regard for the
length being copied.

2)There is a buffer overflow when parsing a proxy URL with ftp
information in it. A loop incorrectly copies data from a user
supplied buffer into a finite stack buffer with no regard for the
length being copied.

3)There are multiple buffer overflows in the code that resolves
names via DNS. An attacker running a malicious DNS server, or an
attacker on a LAN spoofing DNS replies could leverage these to
execute code on the victim’s computer.

postgresql:
According to the release notice, this update fixes the following
possible data loss bug:

Repair possible failure to update hint bits on disk.
Under rare circumstances this oversight could lead to “could not
access transaction status” failures, which qualifies it as a
potential-data-loss bug.

Action:
We recommend that all systems with this package installed be
upgraded. Please note that if you do not need the functionality
provided by this package, you may want to remove it from your
system.

Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>

About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers.
With focus on security and stability, the system is painlessly kept
safe and up to date from day one using swup, the automated software
updater.

Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using ‘swup –upgrade’.

Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>

Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>

The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.0/>
and
<URI:http://www.trustix.org/errata/trustix-2.1/>

or directly at
<URI:http://www.trustix.org/errata/2004/0055/>

MD5sums of the packages:

86a1f43d780a250369bee3d080c97b97
2.0/rpms/libxml2-2.6.15-0.1tr.i586.rpm
81643e101ef0b0b8be2c56c3338bd232
2.0/rpms/libxml2-devel-2.6.15-0.1tr.i586.rpm
e71f4b14707ed52789d86955499b9c3d
2.0/rpms/libxml2-python-2.6.15-0.1tr.i586.rpm
37c98025ee165af52f72319cea74cb1b
2.0/rpms/postgresql-7.3.8-1tr.i586.rpm
5a46a3f7d9db6bc68850f896d8a7abbb
2.0/rpms/postgresql-contrib-7.3.8-1tr.i586.rpm
17c18ae51fbbe29e44419d5528d33cba
2.0/rpms/postgresql-devel-7.3.8-1tr.i586.rpm
98c2887c6cd191acfbe703e8b7cfd392
2.0/rpms/postgresql-docs-7.3.8-1tr.i586.rpm
609fc5bf0e98207d2a69291e884c8110
2.0/rpms/postgresql-jdbc-7.3.8-1tr.i586.rpm
e329beb7b3b96636ecbb6db6ef9e0cd9
2.0/rpms/postgresql-libs-7.3.8-1tr.i586.rpm
1332df108251b4abfa78a40a1707aff2
2.0/rpms/postgresql-plperl-7.3.8-1tr.i586.rpm
06e49a3f911fe4f2c47d34b677a6b6a4
2.0/rpms/postgresql-python-7.3.8-1tr.i586.rpm
f3b3c93c91ca2383d388fa77b419d7ab
2.0/rpms/postgresql-server-7.3.8-1tr.i586.rpm
169a5489ef57260577c0bca4b7430f41
2.0/rpms/postgresql-tcl-7.3.8-1tr.i586.rpm
9ea6838d24a7aa63ea1bdebc7373c9fa
2.0/rpms/postgresql-test-7.3.8-1tr.i586.rpm

90aa98e6674e7d4afeb59916e050a82f
2.1/rpms/libxml2-2.6.15-1tr.i586.rpm
bd6181bcd3de7567bdd6187376f66b56
2.1/rpms/libxml2-devel-2.6.15-1tr.i586.rpm
87e711b66f81b1911e6cb5c78c2892cb
2.1/rpms/libxml2-python-2.6.15-1tr.i586.rpm
f381842d9b620ddf58c2f53419102169
2.1/rpms/postgresql-7.4.6-1tr.i586.rpm
4b378e6e5ab73ebe1879de7b715a93dd
2.1/rpms/postgresql-contrib-7.4.6-1tr.i586.rpm
df20a765c9e7a878f14922084d27d302
2.1/rpms/postgresql-devel-7.4.6-1tr.i586.rpm
9e7d7c5d08d4b617f7212a70b6edea0d
2.1/rpms/postgresql-docs-7.4.6-1tr.i586.rpm
8a823355ec7873bc2e9355b1a8d8339d
2.1/rpms/postgresql-libs-7.4.6-1tr.i586.rpm
060d1103c1ad2215f592e7a6e66b4e50
2.1/rpms/postgresql-plperl-7.4.6-1tr.i586.rpm
e5e54d1b51cd2edbb18970944849fede
2.1/rpms/postgresql-python-7.4.6-1tr.i586.rpm
5efbb84d87ecc829a4a5bb2382ce7c7c
2.1/rpms/postgresql-server-7.4.6-1tr.i586.rpm
7dc249e234666235c74e8808156d8f55
2.1/rpms/postgresql-test-7.4.6-1tr.i586.rpm

899887bfb5040690fa4feb1449b439f4
e-2/libxml2-2.6.15-1tr.i586.rpm
0435c9cd18c59f515b0aa440464d4cea
e-2/libxml2-devel-2.6.15-1tr.i586.rpm
db3e20ba9f1ee509320aba9b98ccc564
e-2/libxml2-python-2.6.15-1tr.i586.rpm
4346f377cbcd57ebb73ebb56f2328b7c
e-2/postgresql-7.4.6-1tr.i586.rpm
dc1a5a820cfd7ded79b956b7f9e204b9
e-2/postgresql-contrib-7.4.6-1tr.i586.rpm
9555a37ab03c424180790a5deee77927
e-2/postgresql-devel-7.4.6-1tr.i586.rpm
f7b93eb3ca8a9efabc77bc7dd6f811c9
e-2/postgresql-docs-7.4.6-1tr.i586.rpm
2aba76a3dcedac2066e5949c38d9350f
e-2/postgresql-libs-7.4.6-1tr.i586.rpm
611f66a610729fcdb33c8f102fc46d54
e-2/postgresql-plperl-7.4.6-1tr.i586.rpm
1e1232ca2d4975fd3d3b56da319c2692
e-2/postgresql-python-7.4.6-1tr.i586.rpm
2c911be4c8f555eb8559ac8bbd522160
e-2/postgresql-server-7.4.6-1tr.i586.rpm
7c80ef4e9adfba5ee95d46703e43b9d1
e-2/postgresql-test-7.4.6-1tr.i586.rpm

Trustix Security Team