Full Disclosure mailing list archives
[TURBOLINUX SECURITY INFO] 17/Feb/2004
From: Turbolinux <security-announce () turbolinux co jp>
Date: Tue, 17 Feb 2004 20:23:07 +0900
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 17/Feb/2004 ============================================================ The following page contains the security information of Turbolinux Inc. - - Turbolinux Security Center http://www.turbolinux.com/security/ (1) XFree86 -> Font file buffer overlows (2) slocate -> Buffer overlows =========================================================== * XFree86 -> Font file buffer overlows =========================================================== More information : XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers. Two buffer overflow vulnerabilities were found in XFree86's parsing of the font.alias file. Additional vulnerabilities were found, also in the reading of font files. Impact : A local attacker could exploit this vulnerability by creating a carefully-crafted file and gaining root privileges. Affected Products : - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turbopkg or [Turbolinux 10 Desktop] # zabom -u XFree86-100dpi-fonts XFree86 XFree86-75dpi-fonts XFree86-Xvfb XFree86-contrib \ XFree86-cyrillic-fonts XFree86-devel XFree86-fonts XFree86-libs XFree86-twm \ XFree86-xcursor XFree86-xcursor-devel XFree86-xf86config XFree86-xfs \ XFree86-xft XFree86-xft-devel [other] # zabom update XFree86-100dpi-fonts XFree86 XFree86-75dpi-fonts XFree86-contrib \ XFree86-cyrillic-fonts XFree86-devel XFree86-libs XFree86-xfs --------------------------------------------- <Turbolinux 10 Desktop> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/XFree86-4.3.0-49.src.rpm 49987853 f10b5ecc163cefd8eb447761d517d1e8 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-100dpi-fonts-4.3.0-49.i586.rpm 12434164 38e861e226a498d1b65312bfd84cb380 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-4.3.0-49.i586.rpm 15518381 ea1e0e2164b26e105d6341a9e3d6cdfb ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-75dpi-fonts-4.3.0-49.i586.rpm 10765388 ced245b87fee236e92aa594a354b3fa8 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-Xvfb-4.3.0-49.i586.rpm 1710994 03a70f08b674a0cfb7463453e88e4b1b ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-contrib-4.3.0-49.i586.rpm 465675 257511eb6b403240b301d018e733d853 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-cyrillic-fonts-4.3.0-49.i586.rpm 408861 d3587c8dcc5fa7c5be5e196f76f33d65 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-devel-4.3.0-49.i586.rpm 4354455 b2aad37da34b03910ea233ad32ec999a ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-fonts-4.3.0-49.i586.rpm 8766539 73b90228be7eb1b4224a2f1f250d75d5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-libs-4.3.0-49.i586.rpm 2815832 db7433064328a92fadb7ee6cc1a043cd ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-twm-4.3.0-49.i586.rpm 114819 e97a779eedaf5fc371e863a68d407474 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xcursor-4.3.0-49.i586.rpm 50159 d8ccfa38c8e611c5fc75e77e25c85027 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xcursor-devel-4.3.0-49.i586.rpm 44740 24a0fe661a0b9acd44dff151882b723d ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xf86config-4.3.0-49.i586.rpm 311890 881e381c5937c2a6cd4dc6c65d2a80dc ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xfs-4.3.0-49.i586.rpm 80682 84ef32bb5d904009272bc1334c29ef24 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xft-4.3.0-49.i586.rpm 82711 a6906b064fa0f47f51a5c4bffa96ba20 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/XFree86-xft-devel-4.3.0-49.i586.rpm 62585 4e575393885b4e2f0540a6bc9334862c <Turbolinux 8 Server> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/XFree86-4.2.0-28.src.rpm 59352192 d84b0c26765a63bdb860f3a082a1cef2 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-100dpi-fonts-4.2.0-28.i586.rpm 12401451 e04ba088ed3f62417806ddb7c128227f ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-4.2.0-28.i586.rpm 22743318 b6c3a70b3348f5e52eaf056a2b3a3370 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-75dpi-fonts-4.2.0-28.i586.rpm 10731481 4db9a6e6b8247b1caa51119c57bc4c3e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-contrib-4.2.0-28.i586.rpm 307639 ffd4d64e1232aec5b0cbe0c34631b014 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-cyrillic-fonts-4.2.0-28.i586.rpm 397269 5590e16defd270ddc27c3d848c553fb5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-devel-4.2.0-28.i586.rpm 4613139 408e1cbb0cd0adddfa1f8a970d82c815 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-libs-4.2.0-28.i586.rpm 2128154 13a3d6b92397aa2634bbd9230f08371d ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/XFree86-xfs-4.2.0-28.i586.rpm 71416 112431996304e2add60e5fe37df1f145 <Turbolinux 8 Workstation> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/XFree86-4.2.0-28.src.rpm 59352192 2dcd6cbf38ed6e34f982f405a8a646b9 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-100dpi-fonts-4.2.0-28.i586.rpm 12400559 fe4a13a1fe9010b9f882c0177ce8f0f9 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-4.2.0-28.i586.rpm 22743334 b96ed06b4bbb64ed9cffdb98c4baffbc ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-75dpi-fonts-4.2.0-28.i586.rpm 10731317 248e0db5499be61115595964618d4096 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-contrib-4.2.0-28.i586.rpm 307551 9af30e882cfc0b7cf1a1eccbb3c198c7 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-cyrillic-fonts-4.2.0-28.i586.rpm 397207 a3f679ccaefc325166cbadd3f21d5420 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-devel-4.2.0-28.i586.rpm 4613821 f9058a850074a8a6de1df1347db10b27 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-libs-4.2.0-28.i586.rpm 2128279 2ce0dc29cb7fab004d58fa6b07a4aa06 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/XFree86-xfs-4.2.0-28.i586.rpm 71463 09b54fefc54a76c648d2cd1aff751750 <Turbolinux 7 Server> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/XFree86-4.1.0-39.src.rpm 56804083 f1940f27567de6bfdb04685b3d4971b6 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-100dpi-fonts-4.1.0-39.i586.rpm 12396518 8443bbcc0ffe250deba3b9e93c2f373e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-4.1.0-39.i586.rpm 20305692 8669afb7107435e14611fe8ab03e0c94 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-75dpi-fonts-4.1.0-39.i586.rpm 10726487 59f06e7876f67b8cd5f11914cdb5d198 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-contrib-4.1.0-39.i586.rpm 241138 b871606d6521410270812cea3fcac576 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-cyrillic-fonts-4.1.0-39.i586.rpm 392897 65c5d02bcebff7ca1f6b367cce894f24 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-devel-4.1.0-39.i586.rpm 4081203 0dba3cce0063096f6c6c38d1c81f7563 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-libs-4.1.0-39.i586.rpm 2151000 93d2e1554e3dc3db8abcb14777226c35 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/XFree86-xfs-4.1.0-39.i586.rpm 65115 72a30b483b363d46bfec4cfb158c50d1 <Turbolinux 7 Workstation> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/XFree86-4.1.0-39.src.rpm 56804083 9d918f347a337336a4178025f79fe591 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-100dpi-fonts-4.1.0-39.i586.rpm 12396025 d126e379dce0e49da81e6cf01c6a4619 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-4.1.0-39.i586.rpm 20305803 e97bdb9cbe2cb0f3c1fa81360b3d175e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-75dpi-fonts-4.1.0-39.i586.rpm 10726176 f3f4dde9fe9170f4df7d5714e6ae4a87 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-contrib-4.1.0-39.i586.rpm 241081 ba59a2bb0fe53a219de7ce46790392c0 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-cyrillic-fonts-4.1.0-39.i586.rpm 392893 26352be1de62984b3453ee56a6a04495 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-devel-4.1.0-39.i586.rpm 4079894 2546655d620639865bd0b3fed5ab2f74 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-libs-4.1.0-39.i586.rpm 2149797 e84a259da54c95fcfac4525a185b8a9c ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/XFree86-xfs-4.1.0-39.i586.rpm 65093 dec2188eefb51a216659b7c778055ed4 References : XFree86 Security Issues http://www.xfree86.org/security/index.html CVE [CAN-2004-0083] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083 [CAN-2004-0084] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084 [CAN-2004-0106] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0106 =========================================================== * slocate -> Buffer overlows =========================================================== More information : Secure locate provides a secure way to index and quickly search for files on your system. It uses incremental encoding just like GNU locate to compress its database to make searching faster, but it will also check file permissions and ownership so that users will not see files they do not have access to. Two buffer overflow vulnerabilities were found in slocate. Impact : A local user could exploit this vulnerability to gain "slocate" group privileges. Affected Products : - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation - Turbolinux Server 6.5 - Turbolinux Advanced Server 6 - Turbolinux Server 6.1 - Turbolinux Workstation 6.0 Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turbopkg or [Turbolinux 10 Desktop] # zabom -u slocate [other] # zabom update slocate --------------------------------------------- <Turbolinux 10 Desktop> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/slocate-2.7-5.src.rpm 97678 e126532cd95f430b75ef9b04da08e1c5 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/slocate-2.7-5.i586.rpm 30381 dc2fe594e00285a09b8de6d9247deaf3 <Turbolinux 8 Server> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/slocate-2.7-5.src.rpm 97678 fd997c9ab22802b57eca2ce171748d80 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/slocate-2.7-5.i586.rpm 29028 f67d0d6113713d0c4fcbcf98107babee <Turbolinux 8 Workstation> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/slocate-2.7-5.src.rpm 97678 5ad273932f01f0de097b0b9caf62f5cc Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/slocate-2.7-5.i586.rpm 29055 47b5443d9d5a9059bb424706e4b3c46a <Turbolinux 7 Server> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/slocate-2.7-5.src.rpm 97678 87470ca4e766aba933e9638acb4ba742 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/slocate-2.7-5.i586.rpm 28904 d5bf696e27b7b68f96c67b4ee4135344 <Turbolinux 7 Workstation> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/slocate-2.7-5.src.rpm 97678 28c4443bb23fb9d1e2930bec6c55058e Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/slocate-2.7-5.i586.rpm 28942 6ceff35e5d808ac242c0f5b907f6b001 <Turbolinux Server 6.5> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/slocate-2.7-5.src.rpm 97678 9073b8497b81eb1396e9fad38ef5add1 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/slocate-2.7-5.i386.rpm 29210 56c43ac5fbf67f5c17548cb6be90bf5b <Turbolinux Advanced Server 6> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/slocate-2.7-5.src.rpm 97678 02de83e6a9e6c770aaf4c68f90c8be9a Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/slocate-2.7-5.i386.rpm 29191 0f4a52b45709c1e4cfbb9e062d44b350 <Turbolinux Server 6.1> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/slocate-2.7-5.src.rpm 97678 1dc6e08db5f99b279ae38f4832946815 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/slocate-2.7-5.i386.rpm 29215 47b69730a5f477632575f96003155668 <Turbolinux Workstation 6.0> Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/slocate-2.7-5.src.rpm 97678 399d968b83e3e0d43c9da9f722ad6584 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/slocate-2.7-5.i386.rpm 29189 79065665a65fd348f6c6341e8f3fa705 References : CVE [CAN-2003-0056] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0056 [CAN-2003-0848] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0848 * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to <server-users-e-ctl () turbolinux co jp> with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to <server-users-e-ctl () turbolinux co jp> with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact <supp_info () turbolinux co jp> Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAMfmeK0LzjOqIJMwRAqurAKC4zL7f78lduUhcumkB0CuwAZ5XsACeKlJ9 bUaFTYHxeCsaoQ+PaxL3yPk= =vqal -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [TURBOLINUX SECURITY INFO] 17/Feb/2004 Turbolinux (Feb 17)