From security-announce@turbolinux.co.jp Thu Feb 24 06:23:23 2005 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Thu, 24 Feb 2005 14:52:58 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 24/Feb/2005 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 24/Feb/2005 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) nasm -> Buffer overflow vulnerability exists in nasm (2) xine-lib -> Buffer overflow vulnerabilities exist in xine-lib (3) mc -> Multiple vulnerabilities exist in mc =========================================================== * nasm -> Buffer overflow vulnerability exists in nasm =========================================================== More information: NASM is the Netwide Assembler, a free portable assembler for the Intel 80x86 microprocessor series, using primarily the traditional Intel instruction mnemonics and syntax. A buffer overflow vulnerability have been discovered in nasm. Impact: This vulnerabilities may allow attackers to execute arbitrary code via malformed asm files. Affected Products: - Turbolinux 10 Server - Turbolinux Home - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server Solution: Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home] # turbopkg or # zabom -u nasm nasm-rdoff [other] # turbopkg or # zabom update nasm nasm-rdoff --------------------------------------------- Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/nasm-0.98.34-5.src.rpm 1407396 8d0ab7c00a6838a3617d811245cbf8c7 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/nasm-0.98.34-5.i586.rpm 957230 8733a24a534a72207b0a7ae87b240740 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/nasm-rdoff-0.98.34-5.i586.rpm 43934 99610ee6c61ac633f6a347cc3db5c737 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/nasm-0.98.34-5.src.rpm 1407396 7e1a561070b3a21411bc30887ccb3025 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/nasm-0.98.34-5.i586.rpm 958330 ed3cdd4e91cacc58afc8b496a20db11a ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/nasm-rdoff-0.98.34-5.i586.rpm 44386 9ba85d2a9d103716724c792a5a05bffb Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/nasm-0.98.34-5.src.rpm 1407396 dbb44a16c331d59eb848a76874be4f40 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/nasm-0.98.34-5.i586.rpm 838544 9f2f919d1ac94ec88fa69a5a2e6a88f1 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/nasm-rdoff-0.98.34-5.i586.rpm 43666 1bc4f4febc8de7a930f246df8bba6709 References: CVE [CAN-2004-1287] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1287 =========================================================== * xine-lib -> Buffer overflow vulnerabilities exist in xine-lib =========================================================== More information: The xine engine is a free media player engine. It comes in the form of a shared libarary and is typically used by media player frontends and other multimedia applications for playback of multimedia streams such as movies, radio/tv network streams, DVDs, VCDs. Buffer overflow vulnerabilities have been discovered in the open_aiff_file and pnm_get_chunk functions of xine-lib. Impact: These vulnerabilities may allow attackers to execute arbitrary code via malformed multimedia files. Affected Products: - Turbolinux Home - Turbolinux 10 F... - Turbolinux 10 Desktop Solution: Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- # turbopkg or # zabom -u xine-lib xine-lib-devel xine-lib-wmf --------------------------------------------- Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/xine-lib-1rc3c-12.src.rpm 6488660 45e60bc9403e1221fb08877a196e283f Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/xine-lib-1rc3c-12.i586.rpm 3415079 ab67dcc334283c07e8effdaf21d6dcf1 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/xine-lib-devel-1rc3c-12.i586.rpm 380994 696900ec8a753043fcccd025392a4d65 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/xine-lib-wmf-1rc3c-12.i586.rpm 22218 0da543e61d19ff8aeba3452939d17cc8 References: CVE [CAN-2004-1187] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1187 [CAN-2004-1188] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1188 [CAN-2004-1300] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1300 =========================================================== * mc -> Multiple vulnerabilities exist in mc =========================================================== More information: Midnight Commander is a visual shell much like a file manager, only with many more features. Impact: Please refer to the "References" section. Affected Products: - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution: Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- # turbopkg or # zabom update mc --------------------------------------------- Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/mc-4.5.54-7.src.rpm 5031778 a468d3f6b37762eef7330220e323e637 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/mc-4.5.54-7.i586.rpm 1212924 0b78b5e31b3d4bfcc4bf4077acc62ec3 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/mc-4.5.54-7.src.rpm 5031778 6e402a0b291a9bbe518bda846911d9e3 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/mc-4.5.54-7.i586.rpm 1213355 3f07f6545c4c508ec7a7e3946e3e2d41 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/mc-4.5.54-7.src.rpm 5031778 d15b6adda6fa80e467c0f670ea07c696 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/mc-4.5.54-7.i586.rpm 1206494 30c85664c55af8a14c5e356feea6d8a0 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/mc-4.5.54-7.src.rpm 5031778 e8d63890c07596713638d31338de0fb7 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/mc-4.5.54-7.i586.rpm 1206064 eb96f4e80bb6035155413bdd67772523 References: CVE [CAN-2004-1004] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1004 [CAN-2004-1005] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1005 [CAN-2004-1009] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1009 [CAN-2004-1090] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1090 [CAN-2004-1091] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1091 [CAN-2004-1092] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1092 [CAN-2004-1093] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1093 [CAN-2004-1174] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1174 [CAN-2004-1175] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1175 [CAN-2004-1176] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1176 * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update/ ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.7 (GNU/Linux) iD8DBQFCHWvAK0LzjOqIJMwRAnUqAKCdaL1ClnbTZHmPkjQlGpJi6UadOACdFJBL scP6a3r5PEYcu3PCSZeAmMY= =eJXm -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html