From security-announce@turbolinux.co.jp Tue Aug 31 13:58:08 2004 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Tue, 31 Aug 2004 18:03:29 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 31/Aug/2004 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 31/Aug/2004 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) rsync -> path-sanitizing bug (2) qt -> Multiple vulnerabilities in Qt =========================================================== * rsync -> path-sanitizing bug =========================================================== More information : rsync uses the "rsync algorithm" which provides a very fast method for bringing remote files into sync. It does this by sending just the differences in files across a link, without requiring that both sets of files be present at one of the ends of the beforehand. A vulnerability has been discovered in rsync in the sanitize_path function in file util.c which allows attackers to read and/or write certain files when chroot is disabled. Impact : The remote attackers may be able to read and write the file which cannot be read and write. Affected Products : - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Desktop, Turbolinux 10 F...] # zabom -u libpng rsync [other] # turbopkg or # zabom update rsync --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/rsync-2.6.2-2.src.rpm 523642 18fee2909b5fe8fabab481209e7291a1 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/rsync-2.6.2-2.i586.rpm 158416 b1188af123b121e7d967b9bcaf3cc249 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/rsync-2.6.2-2.src.rpm 523642 3dbafb5ddcf1cf8b4b381abbe78c4270 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/rsync-2.6.2-2.i586.rpm 155932 72e9e155f8cc3356bd64d2ece2a53e90 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/rsync-2.6.2-2.src.rpm 523642 4352d162daeb6dcaa52fa7cd859c1d8a Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/rsync-2.6.2-2.i586.rpm 155995 87f3eda08a37a1ff477af0d2d43b5945 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/rsync-2.6.2-2.src.rpm 523642 afb8b736d359491027e191a453980e5b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/rsync-2.6.2-2.i586.rpm 152228 1961ff32165a00d1d2608db621295ff4 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/rsync-2.6.2-2.src.rpm 523642 7ab289b125b4f6f3c29cb1f2e4b0de76 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/rsync-2.6.2-2.i586.rpm 152243 53cb13bef3427bf8b5adb8e365f46652 References: rsync http://samba.anu.edu.au/rsync/ CVE [CAN-2004-0792] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0792 =========================================================== * qt -> Multiple vulnerabilities in Qt =========================================================== More information : Qt is a complete, well-designed, multi-platform object-oriented framework for developing graphical user interface (GUI) applications in C++. Qt has seamless integration with the OpenGL/Mesa 3D libraries. The GIF and XML parser in the Qt library is susceptible to a remote denial of service attack via a null pointer dereference triggered by malformed GIF/XML file input. Impact : This may allow remote attackers to to cause a denial of service via malformed GIF and XML file. Affected Products : - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Desktop, Turbolinux 10 F...] # zabom -u qt3 qt3-devel qt3-tools [other] # turbopkg or # zabom update qt qt-NSPlugin qt-Xt qt-devel --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/qt3-3.2.3-8.src.rpm 14026174 8d3461dbf7842da766e0592cfc4a1b55 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/qt3-3.2.3-8.i586.rpm 5367561 89975c7f0d8dae1675e5135c56e722a6 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/qt3-devel-3.2.3-8.i586.rpm 3013232 62270f0a0dbf9c830a8c098a1b99a1fe ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/qt3-tools-3.2.3-8.i586.rpm 2008971 f4896e57a5b8cdc5215391d05f3fb903 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/qt-2.3.1-22.src.rpm 9323108 93c636502e00818cc9c30739931ca649 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-2.3.1-22.i586.rpm 4586275 a9b3d06fb41e458e5080b3e9ae7c88ba ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm 151451 0524bbf8a2719666030cb605227b289e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm 48073 eb0551aa1315db64cfeef8d7c6bc07f1 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-devel-2.3.1-22.i586.rpm 6582027 0f4fd868c7586a9a4dd0da74d9432383 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/qt-2.3.1-22.src.rpm 9323108 c795a4d92346142c544d98e92a41bd94 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-2.3.1-22.i586.rpm 4585883 ad71a31ed173824b9b3cbc639eb60a98 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm 151663 546774ab62b2585a3ce1001bc06b1c57 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm 48077 6ffee17848f80b66256fa0f1a949c097 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-devel-2.3.1-22.i586.rpm 6582669 a6e07283b8ebe59f4c0114f7a6f4b985 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/qt-2.3.1-22.src.rpm 9323108 abcd939f856cda3483316f8f9657251e Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-2.3.1-22.i586.rpm 4431599 36afff671a32a29304c3e0357d03b966 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm 150154 89730e78c6f7a408371c9a1a5f664c76 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm 46815 0d25385a3fc9021072a960ab5a2f76de ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-devel-2.3.1-22.i586.rpm 6548456 65ba8ec22aebee8c2d3e8595784c989b Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/qt-2.3.1-22.src.rpm 9323108 f6666361d752d211b6caa0bf653c75d4 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-2.3.1-22.i586.rpm 4430750 d9d9b64005b6120c22c66e0e369ec7eb ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm 149892 f819e00cafdf5dea46df38f2b95830c8 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm 46829 dfb530b8d059f5af3d329e22d7fa7d26 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-devel-2.3.1-22.i586.rpm 6549222 f530ad599fbbe69828244028cfa5a70a References: CVE [CAN-2004-0691] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691 [CAN-2004-0692] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692 [CAN-2004-0693] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693 * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBND7mK0LzjOqIJMwRAmF/AJ9xm3HTZhtrRE1w/nekUlswn+AZPQCgu+Yf gz/ux9mpEZo8HdYu+NkDICY= =gMtC -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html