We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Linux comes down with security flu

Linux vendors are issuing patches for several serious bugs affecting an imaging component, a pdf viewer, two widely used media players and the Shoutcast audio server.

The bugs could leave Linux users vulnerable to attack when they view tiff images or pdf files, view remote media content or when the Shoutcast server accepts maliciously-crafted requests.

The LibTiff library, which supports tiff images in various Linux applications, is affected by two separate integer overflows, researchers said, in the "tiffFetchStripThing()" and "CheckMalloc()" functions. Both could allow an attacker to execute malicious code when a specially crafted tiff image is viewed in an application that uses the library.

The first vulnerability was confirmed in LibTiff version 3.6.1, and the second in versions 3.5.7 and 3.7.0, but other versions may also be affected. Version 3.7.1, fixes the bugs. Both were originally reported by iDefense just before Christmas, and a number of Linux vendors have issued customised patches for the affected software. Independent security firm Secunia gave the bugs a "highly critical" rating.

At the same time, iDefense reported a vulnerability in xpdf, an application used for viewing pdf files in Linux. In xpdf version 3.00, a boundary error could be exploited via a specially crafted pdf file to execute malicious code on a user's system, iDefense said. Patches are available from various Linux vendors. Secunia gave the vulnerability a "highly critical" rating.

The mplayer media player has five separate bugs, any of which could be used to compromise a system via specially crafted files or parameters, according to an advisory from Secunia. The bugs are fixed in version 1.0pre5try2, available from the mplayer website and from Linux vendors.

Three of the bugs were reported by iDefense, two were reported by the vendor and a third was discovered by researcher Ariel Berkman.

Two similar bugs were discovered in xine, a cross-platform media player, as reported by iDefense. Both can allow an attacker to execute malicious code on a desktop by luring a user to a malicious server using the PNM streaming media protocol. Secunia gave the bugs a "highly critical" rating.

Shoutcast warned of a bug in its media server when processing requested file names. An attacker could execute malicious code on a Linux server by sending a specially crafted HTTP request to the Shoutcast software. The bug affects the version 1.9.4 of the Linux server, and possibly earlier versions; it is fixed in version 1.9.5, available from several Linux vendors. Secunia's advisory ranked the bugs as "highly critical."

IDG UK Sites

Black Friday 2014 tech deals UK: Today's bargains phones, tablets, laptops and more for Black...

IDG UK Sites

Black Friday feeding frenzy infects the UK

IDG UK Sites

VAT MOSS: Will I be affected by the EU VAT changes? Here are the facts for designers and artists

IDG UK Sites

Black Friday 2014 UK: Apple deals, Amazon deals & Black Friday tech offers