<<< Date Index >>>     <<< Thread Index >>>

TSLSA-2007-0024 - multi



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0024

Package names:     file, gd, mutt
Summary:           Multiple vulnerabilities
Date:              2007-08-10
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Secure Linux 3.0.5
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  file
  The file command is used to identify a particular file according to the
  type of data contained by the file.  File can identify many different
  file types, including ELF binaries, system libraries, RPM packages, and
  different graphics formats.

  gd
  gd is a graphics library. It allows your code to quickly draw images
  complete with lines, arcs, text, multiple colors, cut and paste from
  other images, and flood fills, and write out the result as a PNG or
  JPEG file. This is particularly useful in World Wide Web applications,
  where PNG and JPEG are two of the formats accepted for inline images
  by most browsers.

  mutt
  Mutt is a text mode mail user agent. Mutt supports color, threading,
  arbitrary key remapping, and a lot of customization.

Problem description:
  file < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 > < TSEL 2>
  - SECURITY Fix: Fixes integer overflow in the "file" program, that
    might allow user-assisted attackers to execute arbitrary code via
    a large file that triggers an overflow that bypasses an assert()
    statement. This issue is due to an incorrect patch for CVE-2007-1536.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2007-2799 to this issue.

  gd < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
  - SECURITY Fix: Some vulnerabilities have been reported in the GD
    Graphics Library, where some have unknown impact and others can
    potentially be exploited to cause a DoS (SA25855).
    Includes fixes for CVE-2007-3472 to CVE-2007-3478.
 
  mutt < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
  - New Upstream.
  - SECURITY Fix: A vulnerability has been reported in mutt, caused 
    due to a boundary error in the "mutt_gecos_name()" function when
    processing "&" characters in the GECOS field. This can be exploited
    to cause a buffer overflow during alias expansion.
  - A weakness has been identified which is caused by an error in the
    APOP protocol that fails to properly prevent MD5 collisions. This
    could be exploited via man-in-the-middle attacks and specially
    crafted message-IDs to potentially disclose the first three
    characters of passwords.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the names CVE-2007-2683 and CVE-2007-1558 to these issue.  

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/>
  <URI:http://www.trustix.org/errata/trustix-3.0/> and
  <URI:http://www.trustix.org/errata/trustix-3.0.5/>
  or directly at
  <URI:http://www.trustix.org/errata/2007/0024/>


MD5sums of the packages:
- --------------------------------------------------------------------------
9a8b959ee11fbe4a45453ce290e0f578  3.0.5/rpms/file-4.17-4tr.i586.rpm
29456be2e892e944f1f7f8aa49bddca1  3.0.5/rpms/file-devel-4.17-4tr.i586.rpm
119de7f9245acc903cbb8d8851581b0a  3.0.5/rpms/gd-2.0.33-10tr.i586.rpm
d6c8e70d67abd60e2424f7c374957497  3.0.5/rpms/gd-devel-2.0.33-10tr.i586.rpm
0b5ac389e61cfcb6c72ee3c2f27f5b36  3.0.5/rpms/gd-utils-2.0.33-10tr.i586.rpm
1d6fa303b3da5ee39d87ad4be384309e  3.0.5/rpms/mutt-1.4.2.3-1tr.i586.rpm

953084bd98658eda2a59d3fba971c082  3.0/rpms/file-4.13-5tr.i586.rpm
337e5c7c507f9230e725f81049cc23aa  3.0/rpms/file-devel-4.13-5tr.i586.rpm
121cdeebee8dc4806ab0bbf7964eac3b  3.0/rpms/gd-2.0.33-9tr.i586.rpm
341aea597093cfd32f07c7be7c6d2cd1  3.0/rpms/gd-devel-2.0.33-9tr.i586.rpm
1bf352ffb6e0247b3c47e3f9be3080b0  3.0/rpms/gd-utils-2.0.33-9tr.i586.rpm
c0416c54f82543b0b62b2b72bd945129  3.0/rpms/mutt-1.4.2.3-1tr.i586.rpm

0439f598b9e8386a84f04fffa70897ba  2.2/rpms/file-4.12-3tr.i586.rpm
e3e08fcd8caa522adfd27c6e02d9224b  2.2/rpms/file-devel-4.12-3tr.i586.rpm
fab890f7011cfe51ba2340db8ebf2a3b  2.2/rpms/gd-2.0.33-7tr.i586.rpm
382dfff65ac4d2c7455b9f5cf08ffdfc  2.2/rpms/gd-devel-2.0.33-7tr.i586.rpm
6b93caae1a9b1d7cbe0fca3e4350df81  2.2/rpms/gd-utils-2.0.33-7tr.i586.rpm
2d056af883ab4d0bddce1236348bd0c5  2.2/rpms/mutt-1.4.2.3-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFGvGTwi8CEzsK9IksRAqQ1AJ997E0xBB93gufcfUne0mrA0zuAEQCgp5fG
TESUeMdLGQr2WnjwEGS0ffc=
=FZ0J
-----END PGP SIGNATURE-----