[gentoo-announce] [ GLSA 200512-16 ] OpenMotif, AMD64 x86 emulation X libraries: Buffer overflows in libUil library - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200512-16 ] OpenMotif, AMD64 x86 emulation X libraries: Buffer overflows in libUil library
Date:	Wed, 28 Dec 2005 16:18:49
Message-Id:	`43B2B5AE.80905@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200512-16

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Low

8

     Title: OpenMotif, AMD64 x86 emulation X libraries: Buffer overflows

9

            in libUil library

10

      Date: December 28, 2005

11

      Bugs: #114234, #116481

12

        ID: 200512-16

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

Two buffer overflows have been discovered in libUil, part of the

20

OpenMotif toolkit, that can potentially lead to the execution of

21

arbitrary code.

22

23

Background

24

==========

25

26

OpenMotif provides a free version of the Motif toolkit for open source

27

applications. The OpenMotif libraries are included in the AMD64 x86

28

emulation X libraries, which emulate the x86 (32-bit) architecture on

29

the AMD64 (64-bit) architecture.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package               /  Vulnerable  /                 Unaffected

36

    -------------------------------------------------------------------

37

  1  openmotif                < 2.2.3-r8                   >= 2.2.3-r8

38

                                                        *>= 2.1.30-r13

39

  2  emul-linux-x86-xlibs       < 2.2.1                       >= 2.2.1

40

    -------------------------------------------------------------------

41

     # Package 2 [app-emulation/emul-linux-x86-xlibs] only applies to

42

       AMD64 users.

43

44

     NOTE: Any packages listed without architecture tags apply to all

45

           architectures...

46

    -------------------------------------------------------------------

47

     2 affected packages

48

    -------------------------------------------------------------------

49

50

Description

51

===========

52

53

xfocus discovered two potential buffer overflows in the libUil library,

54

in the diag_issue_diagnostic and open_source_file functions.

55

56

Impact

57

======

58

59

Remotely-accessible or SUID applications making use of the affected

60

functions might be exploited to execute arbitrary code with the

61

privileges of the user running the application.

62

63

Workaround

64

==========

65

66

There is no known workaround at this time.

67

68

Resolution

69

==========

70

71

All OpenMotif users should upgrade to an unaffected version:

72

73

    # emerge --sync

74

    # emerge --ask --oneshot --verbose x11-libs/openmotif

75

76

All AMD64 x86 emulation X libraries users should upgrade to the latest

77

version:

78

79

    # emerge --sync

80

    # emerge --ask --oneshot --verbose app-emulation/emul-linux-x86-xlibs

81

82

References

83

==========

84

85

  [ 1 ] CVE-2005-3964

86

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3964

87

  [ 2 ] xfocus SD-051202 Original Advisory

88

89

http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0047.html

90

91

Availability

92

============

93

94

This GLSA and any updates to it are available for viewing at

95

the Gentoo Security Website:

96

97

  http://security.gentoo.org/glsa/glsa-200512-16.xml

98

99

Concerns?

100

=========

101

102

Security is a primary focus of Gentoo Linux and ensuring the

103

confidentiality and security of our users machines is of utmost

104

importance to us. Any security concerns should be addressed to

105

security@g.o or alternatively, you may file a bug at

106

http://bugs.gentoo.org.

107

108

License

109

=======

110

111

Copyright 2005 Gentoo Foundation, Inc; referenced text

112

belongs to its owner(s).

113

114

The contents of this document are licensed under the

115

Creative Commons - Attribution / Share Alike license.

116

117

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200512-16
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: OpenMotif, AMD64 x86 emulation X libraries: Buffer overflows
9	in libUil library
10	Date: December 28, 2005
11	Bugs: #114234, #116481
12	ID: 200512-16
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	Two buffer overflows have been discovered in libUil, part of the
20	OpenMotif toolkit, that can potentially lead to the execution of
21	arbitrary code.
22
23	Background
24	==========
25
26	OpenMotif provides a free version of the Motif toolkit for open source
27	applications. The OpenMotif libraries are included in the AMD64 x86
28	emulation X libraries, which emulate the x86 (32-bit) architecture on
29	the AMD64 (64-bit) architecture.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 openmotif < 2.2.3-r8 >= 2.2.3-r8
38	*>= 2.1.30-r13
39	2 emul-linux-x86-xlibs < 2.2.1 >= 2.2.1
40	-------------------------------------------------------------------
41	# Package 2 [app-emulation/emul-linux-x86-xlibs] only applies to
42	AMD64 users.
43
44	NOTE: Any packages listed without architecture tags apply to all
45	architectures...
46	-------------------------------------------------------------------
47	2 affected packages
48	-------------------------------------------------------------------
49
50	Description
51	===========
52
53	xfocus discovered two potential buffer overflows in the libUil library,
54	in the diag_issue_diagnostic and open_source_file functions.
55
56	Impact
57	======
58
59	Remotely-accessible or SUID applications making use of the affected
60	functions might be exploited to execute arbitrary code with the
61	privileges of the user running the application.
62
63	Workaround
64	==========
65
66	There is no known workaround at this time.
67
68	Resolution
69	==========
70
71	All OpenMotif users should upgrade to an unaffected version:
72
73	# emerge --sync
74	# emerge --ask --oneshot --verbose x11-libs/openmotif
75
76	All AMD64 x86 emulation X libraries users should upgrade to the latest
77	version:
78
79	# emerge --sync
80	# emerge --ask --oneshot --verbose app-emulation/emul-linux-x86-xlibs
81
82	References
83	==========
84
85	[ 1 ] CVE-2005-3964
86	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3964
87	[ 2 ] xfocus SD-051202 Original Advisory
88
89	http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0047.html
90
91	Availability
92	============
93
94	This GLSA and any updates to it are available for viewing at
95	the Gentoo Security Website:
96
97	http://security.gentoo.org/glsa/glsa-200512-16.xml
98
99	Concerns?
100	=========
101
102	Security is a primary focus of Gentoo Linux and ensuring the
103	confidentiality and security of our users machines is of utmost
104	importance to us. Any security concerns should be addressed to
105	security@g.o or alternatively, you may file a bug at
106	http://bugs.gentoo.org.
107
108	License
109	=======
110
111	Copyright 2005 Gentoo Foundation, Inc; referenced text
112	belongs to its owner(s).
113
114	The contents of this document are licensed under the
115	Creative Commons - Attribution / Share Alike license.
116
117	http://creativecommons.org/licenses/by-sa/2.0