OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
LibAST 0.7 Release Fixes Security Vulnerability

From: Michael Jennings (mejeterm.org)
Date: Mon Jan 23 2006 - 13:53:10 CST


I am pleased to announce the release of LibAST 0.7. The release
summary is below. Please note that this release contains an important
security fix; all users of LibAST are STRONGLY encouraged to update to
this latest version immediately.

The latest version can be obtained in source, RPM, and SRPM forms at:
http://www.eterm.org/download/

Release Notes:
--------------

The string class is now both an interface and an implementation so
that parallel implementations (e.g., a gstring wrapper) can be
created. Detection of Imlib2 support, and a pixmap leak when it
was disabled, were fixed. Also some fixes for gcc4 and newer
autotools have been included.

This release also contains a security fix for CVE-2006-0224, a buffer
overflow vulnerability discovered by Rosiello Security
(www.rosiello.org) which could lead to privilege escalation in
setuid/setgid applications using LibAST's configuration engine. This
includes any platforms on which Eterm is setuid/setgid (e.g., setgid
utmp). Thanks to Angelo Rosiello and his team for discovering this
issue and coordinating with me for the fix and release.

More details on the vulnerability are available at
http://www.rosiello.org/en/read_bugs.php?id=25

Michael

--
Michael Jennings (a.k.a. KainX) http://www.kainx.org/ <mejkainx.org>
n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org)
-----------------------------------------------------------------------
 "Don't risk more than you can afford to walk away without."
                                                   -- Rule of Life #39