Linux Advisory Watch – December 31, 2004

Happy New Year! This week advisories were released for netpbm, libtiff, imlib,
Xpdf,CUPS, and ViewCVS. The distributors include Conectiva, Debian, Gentoo,
and Mandrake.

A 2005 Linux Security Resolution

Year 2000, the coming of the new millennium, brought us great joy
and celebration, but also brought great fear. Some believed it
would result in full-scale computer meltdown, leaving Earth as a
nuclear wasteland. Others predicted minor glitches leading only to
inconvenience. The following years (2001-2004) have been tainted
with the threat of terrorism worldwide. Whether it be physical
terrorism, or malicious acts of information security, we have all
raised our level of awareness. For many across the world, the new
year brings a sense of rebirth and recommitment. All of us take
time to reflect on the past year, reexamine our lives, and focus
on how we can do better the upcoming year. Some have career related
goals, others only wish to make more time for their family because
of the realization that those close to you are in fact the real
and only reason for everything. Personally, I am one who loves
to set goals. Without a mission and plan, very little gets
accomplished. The new year should not only be a time to set
personal goals such as an exercise regiment, but also a time to
focus on security practices and configurations. 2005 will be
hostile, now is the time to prepare.

Reflect on Present

Those of us long-time security gurus always chant the mantra
“security is a process, not a product; repeat.” The new year
should be a time to refine that process. Take a moment to analyze
and ask the following questions:

• Are we doing everything the way we should?
• What areas of our operation need to be improved?
• Are we following security best practices?
• Do I feel confident about our security practices?
• Do I have metrics to provide assurance about our security?
• Are we proactive, or do we always seem to be catching up?

	Contectiva
	Conectiva: netpbm Insecure temporary file creation
	29th, December, 2004 Utilities provided by the netpbm package prior to the 9.25 version contain defects[2] in temporary file handling. They create temporary files with predictable names without checking if the target file already exists. http://www.linuxsecurity.com/content/view/117694
	Debian
	Debian: libtiff arbitrary code execution fix
	24th, December, 2004 “infamous41md” discovered a problem in libtiff, the Tag Image File Format library for processing TIFF graphics files. Upon reading a TIFF file it is possible to allocate a zero sized buffer and write to it which would lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/117664
	Debian: imlib arbitrary code execution fix
	24th, December, 2004 Pavel Kankovsky discovered that several overflows found in the libXpm library were also present in imlib, an imaging library for X and X11. An attacker could create a carefully crafted image file in such a way that it could cause an application linked with imlib to execute arbitrary code when the file was opened by a victim. http://www.linuxsecurity.com/content/view/117667
	Gentoo
	Gentoo: Xpdf, Gpdf New integer overflows
	28th, December, 2004 New integer overflows were discovered in Xpdf, potentially resulting in the execution of arbitrary code. GPdf includes Xpdf code and therefore is vulnerable to the same issues. http://www.linuxsecurity.com/content/view/117690
	Gentoo: CUPS Multiple vulnerabilities
	28th, December, 2004 Multiple vulnerabilities have been found in CUPS, ranging from local Denial of Service attacks to the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/117691
	Gentoo: ViewCVS Information leak and XSS vulnerabilities
	28th, December, 2004 ViewCVS is vulnerable to an information leak and to cross-site scripting (XSS) issues. http://www.linuxsecurity.com/content/view/117692
	Mandrake
	Mandrake: integer overflow vulnerabilities update
	27th, December, 2004 Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges. http://www.linuxsecurity.com/content/view/117683