|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0024
Package names: file, gd, mutt
Summary: Multiple vulnerabilities
Date: 2007-08-10
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Secure Linux 3.0.5
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
file
The file command is used to identify a particular file according to the
type of data contained by the file. File can identify many different
file types, including ELF binaries, system libraries, RPM packages, and
different graphics formats.
gd
gd is a graphics library. It allows your code to quickly draw images
complete with lines, arcs, text, multiple colors, cut and paste from
other images, and flood fills, and write out the result as a PNG or
JPEG file. This is particularly useful in World Wide Web applications,
where PNG and JPEG are two of the formats accepted for inline images
by most browsers.
mutt
Mutt is a text mode mail user agent. Mutt supports color, threading,
arbitrary key remapping, and a lot of customization.
Problem description:
file < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 > < TSEL 2>
- SECURITY Fix: Fixes integer overflow in the "file" program, that
might allow user-assisted attackers to execute arbitrary code via
a large file that triggers an overflow that bypasses an assert()
statement. This issue is due to an incorrect patch for CVE-2007-1536.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-2799 to this issue.
gd < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
- SECURITY Fix: Some vulnerabilities have been reported in the GD
Graphics Library, where some have unknown impact and others can
potentially be exploited to cause a DoS (SA25855).
Includes fixes for CVE-2007-3472 to CVE-2007-3478.
mutt < TSL 3.0.5 > < TSL 3.0 > < TSL 2.2 >
- New Upstream.
- SECURITY Fix: A vulnerability has been reported in mutt, caused
due to a boundary error in the "mutt_gecos_name()" function when
processing "&" characters in the GECOS field. This can be exploited
to cause a buffer overflow during alias expansion.
- A weakness has been identified which is caused by an error in the
APOP protocol that fails to properly prevent MD5 collisions. This
could be exploited via man-in-the-middle attacks and specially
crafted message-IDs to potentially disclose the first three
characters of passwords.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2007-2683 and CVE-2007-1558 to these issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from