Date: Fri, 16 Jun 2006 14:35:20 +0200
From: Trustix Security Advisor <tsl@trustix.org.>
To: [email protected]Subject: TSLSA-2006-0036 - multi
Message-ID: <20060616123520.GA15851@tsunami.trustix.net.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0036
Package names: fcron, libtiff
Summary: Multiple vulnerabilities
Date: 2006-06-16
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
fcron
Fcron is a scheduler. It aims at replacing Vixie Cron, so it implements
most of its functionalities. But contrary to Vixie Cron, fcron does not
need your system to be up 7 days a week, 24 hours a day : it also works
well with systems which are not running neither all the time nor
regularly (contrary to anacrontab).
libtiff
The libtiff package contains a library of functions for manipulating
TIFF (Tagged Image File Format) image format files. TIFF is a widely
used file format for bitmapped images. TIFF files usually end in the
.tif extension and they are often quite large.
Problem description:
fcron < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- Patched to fix buffer overflow due to a bug in make_msg(), Bug #1754.
libtiff < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: gpe92 has discovered a vulnerability in LibTIFF caused
due to a boundary error within tiff2pdf when handling a TIFF file with
a "DocumentName" tag that contains UTF-8 characters. This can be
exploited to cause a stack-based buffer overflow and may allow
arbitrary code execution.
- Stack-based buffer overflow in the tiffsplit command in libtiff might
allow attackers to execute arbitrary code via a long filename.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2006-2193 and CVE-2006-2656 these issues.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0036/>
MD5sums of the packages:
- --------------------------------------------------------------------------
ef9c418538fe7078fd0aef828242e94c 3.0/rpms/fcron-2.9.6-13tr.i586.rpm
8a4ecedfff22da6b1c4760a34aa519dc 3.0/rpms/libtiff-3.7.3-3tr.i586.rpm
9d1e3065f727303f684c075d1d58b582 3.0/rpms/libtiff-devel-3.7.3-3tr.i586.rpm
b1531880559bd9b9416df88f24f51b00 3.0/rpms/libtiff-docs-3.7.3-3tr.i586.rpm
b5432c9e8a0e7dc0f14d5d0ba56fae88 2.2/rpms/fcron-2.9.5.1-5tr.i586.rpm
7203c833a5d80a08ccfd240530c91e17 2.2/rpms/libtiff-3.7.3-3tr.i586.rpm
257f3daa5eb28d0567f741e7570dca6a 2.2/rpms/libtiff-devel-3.7.3-3tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEkqLEi8CEzsK9IksRAk7FAJwJuKPsOcTHMBFr8QsvZlYEm01vAQCdGD1W
/XnBafSycZESp61S8DZz1+k=
=RYEA
-----END PGP SIGNATURE-----