A series of security holes in three common Linux components has led open-source suppliers to rush out several updates in just one day.
Two of them, rated "highly critical" by security company Secunia, are in libpng, a library used by a number of applications, including the Mozilla browser to display png graphics files.
The problems are a boundary error in Mozilla’s "png handle" function, and an integer overflow in the "png read" function. These flaws could potentially be exploited by malicious users to trick computer users into viewing a corrupted png image, and inadvertently linking an application into the vulnerable library. Ultimately, it means a hackers could execute arbitrary code on your PC.
In August, a number of security flaws were discovered in libpng, including a bug in the POP3 capability and a risk of unauthorised upload of data from a victim’s computer.
More flaws have also been discovered in Xpdf, which is used to view Adobe pdf files in Linux. A series of integer overflow errors in Xpdf could seriously compromise a victim’s system. As with the libpng vulnerability, malicious users could exploit the Xpdf vulnerability to execute arbitrary code using specially crafted pdf files.
In addition, unspecified errors have been discovered in Xpdf’s logic which can be exploited to create infinite loops, crippling computers by consuming enormous amounts of system resources.
And if that wasn't bad enough, patches issued to fix the Xpdf hole have also flagged up a third hole in the basic Cups printing solution that can give system access.
Some suppliers have already taken steps to protect users against the vulnerabilities. Debian, for example, has issued two patches for its Linux 3.0 users to protect them from the libpng flaws. Mandrake, Fedora and Gentoo, meanwhile, have issued patches for the vulnerabilities in Xpdf, and Mandrake and Gentoo have patches for the Cups hole.
Sally Flood writes for Techworld
This was first published in October 2004