Date: Fri, 10 Aug 2007 14:31:58 +0100
From: Trustix Security Advisor <tsl@trustix.org.>
To: [email protected]Subject: TSLSA-2007-0024 - multi
Message-ID: <20070810133158.GA11869@tsunami.trustix.net.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0024
Package names: file, gd, mutt
Summary: Multiple vulnerabilities
Date: 2007-08-10
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Secure Linux 3.0.5
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
file
The file command is used to identify a particular file according to the
type of data contained by the file. File can identify many different
file types, including ELF binaries, system libraries, RPM packages, and
different graphics formats.
gd
gd is a graphics library. It allows your code to quickly draw images
complete with lines, arcs, text, multiple colors, cut and paste from
other images, and flood fills, and write out the result as a PNG or
JPEG file. This is particularly useful in World Wide Web applications,
where PNG and JPEG are two of the formats accepted for inline images
by most browsers.
mutt
Mutt is a text mode mail user agent. Mutt supports color, threading,
arbitrary key remapping, and a lot of customization.
Problem description:
file < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 > < TSEL 2>
- SECURITY Fix: Fixes integer overflow in the "file" program, that
might allow user-assisted attackers to execute arbitrary code via
a large file that triggers an overflow that bypasses an assert()
statement. This issue is due to an incorrect patch for CVE-2007-1536.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-2799 to this issue.
gd < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
- SECURITY Fix: Some vulnerabilities have been reported in the GD
Graphics Library, where some have unknown impact and others can
potentially be exploited to cause a DoS (SA25855).
Includes fixes for CVE-2007-3472 to CVE-2007-3478.
mutt < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
- New Upstream.
- SECURITY Fix: A vulnerability has been reported in mutt, caused
due to a boundary error in the "mutt_gecos_name()" function when
processing "&" characters in the GECOS field. This can be exploited
to cause a buffer overflow during alias expansion.
- A weakness has been identified which is caused by an error in the
APOP protocol that fails to properly prevent MD5 collisions. This
could be exploited via man-in-the-middle attacks and specially
crafted message-IDs to potentially disclose the first three
characters of passwords.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2007-2683 and CVE-2007-1558 to these issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/>
<URI:http://www.trustix.org/errata/trustix-3.0/> and
<URI:http://www.trustix.org/errata/trustix-3.0.5/>
or directly at
<URI:http://www.trustix.org/errata/2007/0024/>
MD5sums of the packages:
- --------------------------------------------------------------------------
9a8b959ee11fbe4a45453ce290e0f578 3.0.5/rpms/file-4.17-4tr.i586.rpm
29456be2e892e944f1f7f8aa49bddca1 3.0.5/rpms/file-devel-4.17-4tr.i586.rpm
119de7f9245acc903cbb8d8851581b0a 3.0.5/rpms/gd-2.0.33-10tr.i586.rpm
d6c8e70d67abd60e2424f7c374957497 3.0.5/rpms/gd-devel-2.0.33-10tr.i586.rpm
0b5ac389e61cfcb6c72ee3c2f27f5b36 3.0.5/rpms/gd-utils-2.0.33-10tr.i586.rpm
1d6fa303b3da5ee39d87ad4be384309e 3.0.5/rpms/mutt-1.4.2.3-1tr.i586.rpm
953084bd98658eda2a59d3fba971c082 3.0/rpms/file-4.13-5tr.i586.rpm
337e5c7c507f9230e725f81049cc23aa 3.0/rpms/file-devel-4.13-5tr.i586.rpm
121cdeebee8dc4806ab0bbf7964eac3b 3.0/rpms/gd-2.0.33-9tr.i586.rpm
341aea597093cfd32f07c7be7c6d2cd1 3.0/rpms/gd-devel-2.0.33-9tr.i586.rpm
1bf352ffb6e0247b3c47e3f9be3080b0 3.0/rpms/gd-utils-2.0.33-9tr.i586.rpm
c0416c54f82543b0b62b2b72bd945129 3.0/rpms/mutt-1.4.2.3-1tr.i586.rpm
0439f598b9e8386a84f04fffa70897ba 2.2/rpms/file-4.12-3tr.i586.rpm
e3e08fcd8caa522adfd27c6e02d9224b 2.2/rpms/file-devel-4.12-3tr.i586.rpm
fab890f7011cfe51ba2340db8ebf2a3b 2.2/rpms/gd-2.0.33-7tr.i586.rpm
382dfff65ac4d2c7455b9f5cf08ffdfc 2.2/rpms/gd-devel-2.0.33-7tr.i586.rpm
6b93caae1a9b1d7cbe0fca3e4350df81 2.2/rpms/gd-utils-2.0.33-7tr.i586.rpm
2d056af883ab4d0bddce1236348bd0c5 2.2/rpms/mutt-1.4.2.3-1tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFGvGTwi8CEzsK9IksRAqQ1AJ997E0xBB93gufcfUne0mrA0zuAEQCgp5fG
TESUeMdLGQr2WnjwEGS0ffc=
=FZ0J
-----END PGP SIGNATURE-----