Linux vendors have been hit by two fresh security bugs, affecting a widely used graphics decoder and the Gaim instant-messaging client.

Separately, Red Hat, the biggest Linux developer, said attackers have begun targeting Red Hat users with an email-based scam similar to methods commonly used to target Windows.

The flaws in Gaim and libtiff, used by many Linux graphics programs to decode tiff images, follow a series of serious bugs patched last week. The earlier flaws affected Linux's libpng, Xpdf and Cups components.

Researcher Chris Evans uncovered a series of boundary errors affecting the RLE-decoding components of libtiff, which could be exploited to cause heap-based buffer overflows. A malicious user could exploit these flaws by tricking a user into viewing a maliciously crafted tiff image with an application that uses libtiff, researchers said; such an image could crash the application and execute malicious code on the user's computer.

Evans said the specific flaws he publicised are likely to be only the tip of the iceberg. "Unfortunately, due to the size of libtiff, only a limited scan for flaws was possible. These flaws are likely to typify others present," he said in an advisory.

A second flaw in libtiff, a division-by-zero bug discovered by Matthias Claasen, could crash libtiff-linked applications. Finally, auditing by Dmitry Levin uncovered integer overflows which could also be used to execute arbitrary code on a user's PC, according to an advisory from Danish security firm Secunia.

Suse and Red Hat issued advisories on the libtiff flaw late last week, along with patches for the component.

The bug in Gaim, also publicised last week, can be exploited by sending a specially crafted message using the MSN SLP protocol. A boundary error within the handling of such messages can be exploited to cause a buffer overflow, crash the application and execute arbitrary code, Secunia said.

MandrakeSoft said bugs affecting version 0.75 of Gaim, which ships with Mandrake Linux 10.0, included the way the application handles smiley themes and very long URLs. Both bugs could allow malicious code execution, MandrakeSoft said. MandrakeSoft, Gentoo, Red Hat, Slackware and others are issuing patches for Gaim.

The Gaim client is widely used on Linux systems to simulate third-party instant messaging clients such as those from Yahoo, AOL and MSN.

Red Hat said on Saturday that users have been targeted by an authentic-looking security notification message which attempts to trick users into downloading and executing malicious code.

"These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code," Red Hat said in a warning posted on the front page of its security site. The company urged users to ensure that any security upates appearing to come from Red Hat are safe by validating the messages' digital signature.

The message was made more authentic-looking by the use of a seemingly official website, fedora-redhat.com - which was unavailable as of Monday morning. Before the site disappeared, it contained a message urging users to apply a "critical-critical" update.

"Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges," the site said. "The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update."

Windows users are frequently bombarded by authentic-seeming malicious messages appearing to come from Microsoft, but the technique is a novelty for Linux. Until recently, Linux was rarely used as a desktop platform, but has now gained some ground and, by some counts, is more widely used on the desktop than the Mac OS.


Check out our Windows v Linux Special Report, an independent guide to the two operating systems. Register for free here and get all your queries answered.