[RHSA-2013:0122-01] Moderate: tcl security and bug fix update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: tcl security and bug fix update

Advisory ID: RHSA-2013:0122-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0122.html

Issue date: 2013-01-08

CVE Names: CVE-2007-4772 CVE-2007-6067

=====================================================================

 

1. Summary:

 

Updated tcl packages that fix two security issues and one bug are now

available for Red Hat Enterprise Linux 5.

 

The Red Hat Security Response Team has rated this update as having moderate

security impact. Common Vulnerability Scoring System (CVSS) base scores,

which give detailed severity ratings, are available for each vulnerability

from the CVE links in the References section.

 

2. Relevant releases/architectures:

 

RHEL Desktop Workstation (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

 

3. Description:

 

Tcl (Tool Command Language) provides a powerful platform for creating

integration applications that tie together diverse applications, protocols,

devices, and frameworks. When paired with the Tk toolkit, Tcl provides a

fast and powerful way to create cross-platform GUI applications.

 

Two denial of service flaws were found in the Tcl regular expression

handling engine. If Tcl or an application using Tcl processed a

specially-crafted regular expression, it would lead to excessive CPU and

memory consumption. (CVE-2007-4772, CVE-2007-6067)

 

This update also fixes the following bug:

 

* Due to a suboptimal implementation of threading in the current version of

the Tcl language interpreter, an attempt to use threads in combination with

fork in a Tcl script could cause the script to stop responding. At the

moment, it is not possible to rewrite the source code or drop support for

threading entirely. Consequent to this, this update provides a version of

Tcl without threading support in addition to the standard version with this

support. Users who need to use fork in their Tcl scripts and do not require

threading can now switch to the version without threading support by using

the alternatives command. (BZ#478961)

 

All users of Tcl are advised to upgrade to these updated packages, which

contain backported patches to correct these issues.

 

4. Solution:

 

Before applying this update, make sure all previously-released errata

relevant to your system have been applied.

 

This update is available via the Red Hat Network. Details on how to

use the Red Hat Network to apply this update are available at

https://access.redhat.com/knowledge/articles/11258

 

5. Bugs fixed (http://bugzilla.redhat.com/):

 

316511 - CVE-2007-4772 postgresql DoS via infinite loop in regex NFA optimization code

400931 - CVE-2007-6067 postgresql: tempory DoS caused by slow regex NFA cleanup

478961 - [RHEL5] tcl threads support implementation can cause scripts to hang

 

6. Package List:

 

Red Hat Enterprise Linux Desktop (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/tcl-8.4.13-6.el5.src.rpm

 

i386:

tcl-8.4.13-6.el5.i386.rpm

tcl-debuginfo-8.4.13-6.el5.i386.rpm

tcl-html-8.4.13-6.el5.i386.rpm

 

x86_64:

tcl-8.4.13-6.el5.i386.rpm

tcl-8.4.13-6.el5.x86_64.rpm

tcl-debuginfo-8.4.13-6.el5.i386.rpm

tcl-debuginfo-8.4.13-6.el5.x86_64.rpm

tcl-html-8.4.13-6.el5.x86_64.rpm

 

RHEL Desktop Workstation (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/tcl-8.4.13-6.el5.src.rpm

 

i386:

tcl-debuginfo-8.4.13-6.el5.i386.rpm

tcl-devel-8.4.13-6.el5.i386.rpm

 

x86_64:

tcl-debuginfo-8.4.13-6.el5.i386.rpm

tcl-debuginfo-8.4.13-6.el5.x86_64.rpm

tcl-devel-8.4.13-6.el5.i386.rpm

tcl-devel-8.4.13-6.el5.x86_64.rpm

 

Red Hat Enterprise Linux (v. 5 server):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/tcl-8.4.13-6.el5.src.rpm

 

i386:

tcl-8.4.13-6.el5.i386.rpm

tcl-debuginfo-8.4.13-6.el5.i386.rpm

tcl-devel-8.4.13-6.el5.i386.rpm

tcl-html-8.4.13-6.el5.i386.rpm

 

ia64:

tcl-8.4.13-6.el5.ia64.rpm

tcl-debuginfo-8.4.13-6.el5.ia64.rpm

tcl-devel-8.4.13-6.el5.ia64.rpm

tcl-html-8.4.13-6.el5.ia64.rpm

 

ppc:

tcl-8.4.13-6.el5.ppc.rpm

tcl-8.4.13-6.el5.ppc64.rpm

tcl-debuginfo-8.4.13-6.el5.ppc.rpm

tcl-debuginfo-8.4.13-6.el5.ppc64.rpm

tcl-devel-8.4.13-6.el5.ppc.rpm

tcl-devel-8.4.13-6.el5.ppc64.rpm

tcl-html-8.4.13-6.el5.ppc.rpm

 

s390x:

tcl-8.4.13-6.el5.s390.rpm

tcl-8.4.13-6.el5.s390x.rpm

tcl-debuginfo-8.4.13-6.el5.s390.rpm

tcl-debuginfo-8.4.13-6.el5.s390x.rpm

tcl-devel-8.4.13-6.el5.s390.rpm

tcl-devel-8.4.13-6.el5.s390x.rpm

tcl-html-8.4.13-6.el5.s390x.rpm

 

x86_64:

tcl-8.4.13-6.el5.i386.rpm

tcl-8.4.13-6.el5.x86_64.rpm

tcl-debuginfo-8.4.13-6.el5.i386.rpm

tcl-debuginfo-8.4.13-6.el5.x86_64.rpm

tcl-devel-8.4.13-6.el5.i386.rpm

tcl-devel-8.4.13-6.el5.x86_64.rpm

tcl-html-8.4.13-6.el5.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/#package

 

7. References:

 

https://www.redhat.com/security/data/cve/CVE-2007-4772.html

https://www.redhat.com/security/data/cve/CVE-2007-6067.html

https://access.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2013 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFQ68J7XlSAg2UNWIIRAkpLAKClOD2mxtWYJHEZFqmwyWE92q+7aQCeJjnr

t8jUxGiuznsY1pcv6ahuaMM=

=61uR

-----END PGP SIGNATURE-----

 

 

--