Vulnerabilities in Sun Solaris
Sun Microsystems confirmed in an advisory that an attacker could potentially exploit vulnerabilities in Solaris to launch arbitrary code. "Several security vulnerabilities have been reported in the X Pixmap (libXpm) library which also affect the Motif library (libXm) shipped with Solaris and JDS for Linux since libXm includes the affected libXpm routines," the advisory said. "These security vulnerabilities may allow a remote unprivileged user to execute arbitrary code with the privileges of a local user if that user loads an X Pixmap (.xpm) format image file from an untrusted source with an application that is linked with the Motif library (libXm)." The company said a final resolution for the Solaris platforms is pending completion. For now, users are advised not to load X Pixmap images from untrusted sources. The problems affect Solaris 7, 8 and 9 on the SPARC and x86 platforms. On the Linux platform, the issues impact Sun Java Desktop System (JDS) 2003 without the updated RPMs (patch-9400) and Sun Java Desktop System (JDS) Release 2 without the updated RPMs (patch-9400).
Gentoo fixes libXpm flaws
Gentoo Linux has fixed multiple vulnerabilities in libXpm an attacker could use to remotely launch malicious code. Researcher Chris Evans discovered various integer and stack overflows in libXpm, which is shipped as a part of the X Window System. LessTif, an application that includes this library, is susceptible to the same issues, Gentoo said in its advisory. "A carefully-crafted .xpm file could crash applications that are linked against libXpm, such as LessTif, potentially allowing the execution of arbitrary code with the privileges of the user running the application," the advisory said. There is no known workaround at this time. All LessTif users should upgrade to the latest version.
Fortress acquires technology from Legra
Tampa-based Fortress Technologies has acquired technology and assets from Burlington, Mass.-based Legra Systems Inc. Security processing architecture and wireless switch technology from Legra will be integrated with Fortress' secure policy-based capabilities, creating a more scalable security switch that will support enterprise policy management as wireless becomes more central to the core of the network, company executives said Monday. "Senior technical staff from Legra have joined the Fortress organization to ensure continuity and seamless technology integration," Fortress said in a statement. "Beginning in early 2005, Fortress will deliver models of the AirFortress product line that leverage the acquired technology designs and Legra's switching innovations. The new AirFortress security switch will include platforms ranging from site-optimized devices for remote branch offices, healthcare clinics and retail stores, to larger systems capable of securing entire corporate campus networks and high-speed point-to-point links."