Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: tcl security and bug fix update

Related Vulnerabilities: CVE-2007-4772   CVE-2007-6067   CVE-2007-6067   CVE-2007-4772  

Source

Synopsis

Moderate: tcl security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

Updated tcl packages that fix two security issues and one bug are now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Tcl (Tool Command Language) provides a powerful platform for creating
integration applications that tie together diverse applications, protocols,
devices, and frameworks. When paired with the Tk toolkit, Tcl provides a
fast and powerful way to create cross-platform GUI applications.

Two denial of service flaws were found in the Tcl regular expression
handling engine. If Tcl or an application using Tcl processed a
specially-crafted regular expression, it would lead to excessive CPU and
memory consumption. (CVE-2007-4772, CVE-2007-6067)

This update also fixes the following bug:

  • Due to a suboptimal implementation of threading in the current version of
    the Tcl language interpreter, an attempt to use threads in combination with
    fork in a Tcl script could cause the script to stop responding. At the
    moment, it is not possible to rewrite the source code or drop support for
    threading entirely. Consequent to this, this update provides a version of
    Tcl without threading support in addition to the standard version with this
    support. Users who need to use fork in their Tcl scripts and do not require
    threading can now switch to the version without threading support by using
    the alternatives command. (BZ#478961)

All users of Tcl are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 316511 - CVE-2007-4772 postgresql DoS via infinite loop in regex NFA optimization code
  • BZ - 400931 - CVE-2007-6067 postgresql: tempory DoS caused by slow regex NFA cleanup
  • BZ - 478961 - [RHEL5] tcl threads support implementation can cause scripts to hang

CVEs

References

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started