Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Linux comes down with security flu

More bugs than you could shake a stick at.

Article comments

Linux vendors are issuing patches for several serious bugs affecting an imaging component, a pdf viewer, two widely used media players and the Shoutcast audio server.

The bugs could leave Linux users vulnerable to attack when they view tiff images or pdf files, view remote media content or when the Shoutcast server accepts maliciously-crafted requests.

The LibTiff library, which supports tiff images in various Linux applications, is affected by two separate integer overflows, researchers said, in the "tiffFetchStripThing()" and "CheckMalloc()" functions. Both could allow an attacker to execute malicious code when a specially crafted tiff image is viewed in an application that uses the library.

The first vulnerability was confirmed in LibTiff version 3.6.1, and the second in versions 3.5.7 and 3.7.0, but other versions may also be affected. Version 3.7.1, available here, fixes the bugs. Both were originally reported by iDefense just before Christmas, and a number of Linux vendors have issued customised patches for the affected software. Independent security firm Secunia gave the bugs a "highly critical" rating.

At the same time, iDefense reported a vulnerability in xpdf, an application used for viewing pdf files in Linux. In xpdf version 3.00, a boundary error could be exploited via a specially crafted pdf file to execute malicious code on a user's system, iDefense said. Patches are available from various Linux vendors. Secunia gave the vulnerability a "highly critical" rating.

The mplayer media player has five separate bugs, any of which could be used to compromise a system via specially crafted files or parameters, according to an advisory from Secunia. The bugs are fixed in version 1.0pre5try2, available from the mplayer website and from Linux vendors.

Three of the bugs were reported by iDefense (in advisories found here, here and here), two were reported by the vendor and a third was discovered by researcher Ariel Berkman.

Two similar bugs were discovered in xine, a cross-platform media player, as reported by iDefense. Both can allow an attacker to execute malicious code on a desktop by luring a user to a malicious server using the PNM streaming media protocol. Secunia gave the bugs a "highly critical" rating.

Shoutcast warned of a bug in its media server when processing requested filenames. An attacker could execute malicious code on a Linux server by sending a specially crafted HTTP request to the Shoutcast software. The bug affects the version 1.9.4 of the Linux server, and possibly earlier versions; it is fixed in version 1.9.5, available here and from several Linux vendors. Secunia's advisory ranked the bugs as "highly critical".


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *