[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200402172023.20673.security-announce@turbolinux.co.jp>
From: security-announce at turbolinux.co.jp (Turbolinux)
Subject: [TURBOLINUX SECURITY INFO] 17/Feb/2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 17/Feb/2004
============================================================
The following page contains the security information of Turbolinux Inc.
- - Turbolinux Security Center
http://www.turbolinux.com/security/
(1) XFree86 -> Font file buffer overlows
(2) slocate -> Buffer overlows
===========================================================
* XFree86 -> Font file buffer overlows
===========================================================
More information :
XFree86 is an implementation of the X Window System, providing the core
graphical user interface and video drivers.
Two buffer overflow vulnerabilities were found in XFree86's parsing of the font.alias file.
Additional vulnerabilities were found, also in the reading of font files.
Impact :
A local attacker could exploit this vulnerability by creating a carefully-crafted file
and gaining root privileges.
Affected Products :
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution :
Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
[Turbolinux 10 Desktop]
# zabom -u XFree86-100dpi-fonts XFree86 XFree86-75dpi-fonts XFree86-Xvfb XFree86-contrib \
XFree86-cyrillic-fonts XFree86-devel XFree86-fonts XFree86-libs XFree86-twm \
XFree86-xcursor XFree86-xcursor-devel XFree86-xf86config XFree86-xfs \
XFree86-xft XFree86-xft-devel
[other]
# zabom update XFree86-100dpi-fonts XFree86 XFree86-75dpi-fonts XFree86-contrib \
XFree86-cyrillic-fonts XFree86-devel XFree86-libs XFree86-xfs
---------------------------------------------
<Turbolinux 10 Desktop>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/XFree86-4.3.0-49.src.rpm
49987853 f10b5ecc163cefd8eb447761d517d1e8
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-100dpi-fonts-4.3.0-49.i586.rpm
12434164 38e861e226a498d1b65312bfd84cb380
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-4.3.0-49.i586.rpm
15518381 ea1e0e2164b26e105d6341a9e3d6cdfb
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-75dpi-fonts-4.3.0-49.i586.rpm
10765388 ced245b87fee236e92aa594a354b3fa8
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-Xvfb-4.3.0-49.i586.rpm
1710994 03a70f08b674a0cfb7463453e88e4b1b
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-contrib-4.3.0-49.i586.rpm
465675 257511eb6b403240b301d018e733d853
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-cyrillic-fonts-4.3.0-49.i586.rpm
408861 d3587c8dcc5fa7c5be5e196f76f33d65
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-devel-4.3.0-49.i586.rpm
4354455 b2aad37da34b03910ea233ad32ec999a
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-fonts-4.3.0-49.i586.rpm
8766539 73b90228be7eb1b4224a2f1f250d75d5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-libs-4.3.0-49.i586.rpm
2815832 db7433064328a92fadb7ee6cc1a043cd
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-twm-4.3.0-49.i586.rpm
114819 e97a779eedaf5fc371e863a68d407474
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xcursor-4.3.0-49.i586.rpm
50159 d8ccfa38c8e611c5fc75e77e25c85027
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xcursor-devel-4.3.0-49.i586.rpm
44740 24a0fe661a0b9acd44dff151882b723d
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xf86config-4.3.0-49.i586.rpm
311890 881e381c5937c2a6cd4dc6c65d2a80dc
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xfs-4.3.0-49.i586.rpm
80682 84ef32bb5d904009272bc1334c29ef24
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xft-4.3.0-49.i586.rpm
82711 a6906b064fa0f47f51a5c4bffa96ba20
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xft-devel-4.3.0-49.i586.rpm
62585 4e575393885b4e2f0540a6bc9334862c
<Turbolinux 8 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/XFree86-4.2.0-28.src.rpm
59352192 d84b0c26765a63bdb860f3a082a1cef2
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-100dpi-fonts-4.2.0-28.i586.rpm
12401451 e04ba088ed3f62417806ddb7c128227f
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-4.2.0-28.i586.rpm
22743318 b6c3a70b3348f5e52eaf056a2b3a3370
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-75dpi-fonts-4.2.0-28.i586.rpm
10731481 4db9a6e6b8247b1caa51119c57bc4c3e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-contrib-4.2.0-28.i586.rpm
307639 ffd4d64e1232aec5b0cbe0c34631b014
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-cyrillic-fonts-4.2.0-28.i586.rpm
397269 5590e16defd270ddc27c3d848c553fb5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-devel-4.2.0-28.i586.rpm
4613139 408e1cbb0cd0adddfa1f8a970d82c815
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-libs-4.2.0-28.i586.rpm
2128154 13a3d6b92397aa2634bbd9230f08371d
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-xfs-4.2.0-28.i586.rpm
71416 112431996304e2add60e5fe37df1f145
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/XFree86-4.2.0-28.src.rpm
59352192 2dcd6cbf38ed6e34f982f405a8a646b9
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-100dpi-fonts-4.2.0-28.i586.rpm
12400559 fe4a13a1fe9010b9f882c0177ce8f0f9
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-4.2.0-28.i586.rpm
22743334 b96ed06b4bbb64ed9cffdb98c4baffbc
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-75dpi-fonts-4.2.0-28.i586.rpm
10731317 248e0db5499be61115595964618d4096
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-contrib-4.2.0-28.i586.rpm
307551 9af30e882cfc0b7cf1a1eccbb3c198c7
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-cyrillic-fonts-4.2.0-28.i586.rpm
397207 a3f679ccaefc325166cbadd3f21d5420
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-devel-4.2.0-28.i586.rpm
4613821 f9058a850074a8a6de1df1347db10b27
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-libs-4.2.0-28.i586.rpm
2128279 2ce0dc29cb7fab004d58fa6b07a4aa06
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-xfs-4.2.0-28.i586.rpm
71463 09b54fefc54a76c648d2cd1aff751750
<Turbolinux 7 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/XFree86-4.1.0-39.src.rpm
56804083 f1940f27567de6bfdb04685b3d4971b6
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-100dpi-fonts-4.1.0-39.i586.rpm
12396518 8443bbcc0ffe250deba3b9e93c2f373e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-4.1.0-39.i586.rpm
20305692 8669afb7107435e14611fe8ab03e0c94
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-75dpi-fonts-4.1.0-39.i586.rpm
10726487 59f06e7876f67b8cd5f11914cdb5d198
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-contrib-4.1.0-39.i586.rpm
241138 b871606d6521410270812cea3fcac576
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-cyrillic-fonts-4.1.0-39.i586.rpm
392897 65c5d02bcebff7ca1f6b367cce894f24
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-devel-4.1.0-39.i586.rpm
4081203 0dba3cce0063096f6c6c38d1c81f7563
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-libs-4.1.0-39.i586.rpm
2151000 93d2e1554e3dc3db8abcb14777226c35
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-xfs-4.1.0-39.i586.rpm
65115 72a30b483b363d46bfec4cfb158c50d1
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/XFree86-4.1.0-39.src.rpm
56804083 9d918f347a337336a4178025f79fe591
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-100dpi-fonts-4.1.0-39.i586.rpm
12396025 d126e379dce0e49da81e6cf01c6a4619
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-4.1.0-39.i586.rpm
20305803 e97bdb9cbe2cb0f3c1fa81360b3d175e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-75dpi-fonts-4.1.0-39.i586.rpm
10726176 f3f4dde9fe9170f4df7d5714e6ae4a87
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-contrib-4.1.0-39.i586.rpm
241081 ba59a2bb0fe53a219de7ce46790392c0
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-cyrillic-fonts-4.1.0-39.i586.rpm
392893 26352be1de62984b3453ee56a6a04495
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-devel-4.1.0-39.i586.rpm
4079894 2546655d620639865bd0b3fed5ab2f74
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-libs-4.1.0-39.i586.rpm
2149797 e84a259da54c95fcfac4525a185b8a9c
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-xfs-4.1.0-39.i586.rpm
65093 dec2188eefb51a216659b7c778055ed4
References :
XFree86 Security Issues
http://www.xfree86.org/security/index.html
CVE
[CAN-2004-0083]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083
[CAN-2004-0084]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084
[CAN-2004-0106]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0106
===========================================================
* slocate -> Buffer overlows
===========================================================
More information :
Secure locate provides a secure way to index and quickly search for files on your system.
It uses incremental encoding just like GNU locate to compress its database
to make searching faster, but it will also check file permissions and ownership so that
users will not see files they do not have access to.
Two buffer overflow vulnerabilities were found in slocate.
Impact :
A local user could exploit this vulnerability to gain "slocate" group privileges.
Affected Products :
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
- Turbolinux Server 6.5
- Turbolinux Advanced Server 6
- Turbolinux Server 6.1
- Turbolinux Workstation 6.0
Solution :
Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
[Turbolinux 10 Desktop]
# zabom -u slocate
[other]
# zabom update slocate
---------------------------------------------
<Turbolinux 10 Desktop>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/slocate-2.7-5.src.rpm
97678 e126532cd95f430b75ef9b04da08e1c5
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/slocate-2.7-5.i586.rpm
30381 dc2fe594e00285a09b8de6d9247deaf3
<Turbolinux 8 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/slocate-2.7-5.src.rpm
97678 fd997c9ab22802b57eca2ce171748d80
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/slocate-2.7-5.i586.rpm
29028 f67d0d6113713d0c4fcbcf98107babee
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/slocate-2.7-5.src.rpm
97678 5ad273932f01f0de097b0b9caf62f5cc
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/slocate-2.7-5.i586.rpm
29055 47b5443d9d5a9059bb424706e4b3c46a
<Turbolinux 7 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/slocate-2.7-5.src.rpm
97678 87470ca4e766aba933e9638acb4ba742
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/slocate-2.7-5.i586.rpm
28904 d5bf696e27b7b68f96c67b4ee4135344
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/slocate-2.7-5.src.rpm
97678 28c4443bb23fb9d1e2930bec6c55058e
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/slocate-2.7-5.i586.rpm
28942 6ceff35e5d808ac242c0f5b907f6b001
<Turbolinux Server 6.5>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/slocate-2.7-5.src.rpm
97678 9073b8497b81eb1396e9fad38ef5add1
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/slocate-2.7-5.i386.rpm
29210 56c43ac5fbf67f5c17548cb6be90bf5b
<Turbolinux Advanced Server 6>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/slocate-2.7-5.src.rpm
97678 02de83e6a9e6c770aaf4c68f90c8be9a
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/slocate-2.7-5.i386.rpm
29191 0f4a52b45709c1e4cfbb9e062d44b350
<Turbolinux Server 6.1>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/slocate-2.7-5.src.rpm
97678 1dc6e08db5f99b279ae38f4832946815
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/slocate-2.7-5.i386.rpm
29215 47b69730a5f477632575f96003155668
<Turbolinux Workstation 6.0>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/slocate-2.7-5.src.rpm
97678 399d968b83e3e0d43c9da9f722ad6584
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/slocate-2.7-5.i386.rpm
29189 79065665a65fd348f6c6341e8f3fa705
References :
CVE
[CAN-2003-0056]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0056
[CAN-2003-0848]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0848
* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.
http://www.turbolinux.com/download/zabom.html
http://www.turbolinux.com/download/zabomupdate.html
Package Update Path
http://www.turbolinux.com/update
============================================================
* To obtain the public key
Here is the public key
http://www.turbolinux.com/security/
* To unsubscribe from the list
If you ever want to remove yourself from this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).
unsubscribe
* To change your email address
If you ever want to chage email address in this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the following command in the message body:
chaddr 'old address' 'new address'
If you have any questions or problems, please contact
<supp_info@...bolinux.co.jp>
Thank you!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAMfmeK0LzjOqIJMwRAqurAKC4zL7f78lduUhcumkB0CuwAZ5XsACeKlJ9
bUaFTYHxeCsaoQ+PaxL3yPk=
=vqal
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists