LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Trustix alert TSLSA-2005-0066 (gtk2+ lynx)



From:
    	      Trustix Security Advisor <tsl@trustix.org>


To:
    	      tsl-announce@lists.trustix.org


Subject:
    	      TSLSA-2005-0066 - multi


Date:
    	      Tue, 22 Nov 2005 11:54:16 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2005-0066

Package names:	   gtk2+, lynx
Summary:           Multiple vulnerabilities
Date:              2005-11-18
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0

- --------------------------------------------------------------------------
Package description:
  gtk2+
  The gtk+ package contains the GIMP ToolKit (GTK+), a library for creating
  graphical user interfaces for the X Window System.  GTK+ was originally
  written for the GIMP (GNU Image Manipulation Program) image processing
  program, but is now used by several other programs as well.

  lynx
  Lynx is a text-based Web browser. Lynx does not display any images,but it 
  does support frames, tables and most other HTML tags. Lynx's advantage 
  over graphical browsers is its speed: Lynx starts and exits quickly and 
  swiftly when displaying Web pages.

Problem description:
  gtk2+ < TSL 3.0 >
  - SECURITY Fix: An attacker could create a carefully crafted XPM file
  in such a way that it could cause an application linked with gtk2 to
  execute arbitrary code when the file was opened by a victim.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CVE-2005-3186.

  - SECURITY Fix: Ludwig Nussel discovered an infinite-loop denial of
  service bug in the way gtk2 processes XPM images. An attacker could
  create a carefully crafted XPM file in such a way that it could cause
  an application linked with gtk2 to stop responding when the file was
  opened by a victim.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CVE-2005-2975.

  lynx < TSL 2.2 > < TSEL 2 >
  - Security Fix: vade79 has reported a vulnerability in Lynx, which can
  be exploited by malicious people to compromise a user's system. The
  vulnerability is caused due to unspecified configuration and input
  validation errors in the handling of certain URI handlers which
  execute local programs. This can be exploited to execute arbitrary
  commands via the "lynxcgi", "lynxexec", and "lynxprog" URI handlers.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CVE-2005-2929.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/>> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>>
  or directly at
  <URI:http://www.trustix.org/errata/2005/0066/>>


MD5sums of the packages:
- --------------------------------------------------------------------------
3148ec20cf65bd391acfec0d4005c5f4  2.2/rpms/lynx-2.8.5-4tr.i586.rpm

ed624ad80038e95d709a30f2744959b4  3.0/rpms/gtk2+-2.6.7-5tr.i586.rpm
bedbadce4325ee11e207e85b26ea44ed  3.0/rpms/gtk2+-devel-2.6.7-5tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDgvBVi8CEzsK9IksRAtmEAJ9+xBMZjBfz1vLSj6XLrUv9mD94BwCeLumv
WPtDHlz5i+zr+p2x+pfuSTM=
=1sQp
-----END PGP SIGNATURE-----
_______________________________________________
tsl-announce mailing list
tsl-announce@lists.trustix.org
http://lists.trustix.org/mailman/listinfo/tsl-announce
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds