Unix, Linux Security Bugs Patched

By Larry Seltzer  |  Posted 2004-12-22 Print this article Print

Vulnerabilities in LibTIFF and Xpdf could allow remote system compromise.

Internet security research firm iDefense has announced a series of vulnerabilities and patches for a variety of Unix- and Linux-based products. A stack-based buffer overflow was revealed in version 3.00 of Xpdf, a popular viewer for reading PDF files, usually created by Adobe Acrobat.

"Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer, as included in multiple Linux distributions, could allow attackers to execute arbitrary code as the user viewing a PDF file," the iDefense advisory said. According to the advisory, SuSE Linux, Red Hat Linux, Fedora Core, Debian Linux, Gentoo Linux, FreeBSD (ports) and OpenBSD are affected.

iDefense said that the bug is not a simple one to exploit, but that it can be done if the attacker has knowledge of the operating system that is running. The attacker must, of course, convince the user to view a malicious PDF file.

Foo Labs has released a patch for the problem and an updated binary version (3.00pl2) of the product.

Click here to read about two security flaws in Acrobat that could allow an attacker to execute malicious code on a users system via a PDF file distributed via e-mail. Meanwhile, two bugs were announced in LibTIFF, a popular library for working with TIFF image files. Both are heap-based buffer overflows and have the potential to allow remote code execution.

The user must be persuaded to open a malicious TIFF file from within an application linked to a vulnerable version of the library. The first bug, which affects the calculation of the size of a directory entry, was confirmed by iDefense in LibTIFF versions 3.5.7 and 3.7.0. The second, which affects the parsing of files with the STRIPOFFSETS flag, was confirmed in LibTIFF 3.6.1.

Both problems are fixed in the current version of the library, 3.7.1.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel