[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050801103542.GA18335@piware.de>
Date: Mon, 1 Aug 2005 12:35:42 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-158-1] gzip utility vulnerability
===========================================================
Ubuntu Security Notice USN-158-1 August 01, 2005
gzip vulnerability
CAN-2005-0758
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
gzip
The problem can be corrected by upgrading the affected package to
version 1.3.5-9ubuntu3.3 (for Ubuntu 4.10), or 1.3.5-9ubuntu3.4 (for
Ubuntu 5.04). In general, a standard system upgrade is sufficient to
effect the necessary changes.
Details follow:
zgrep did not handle shell metacharacters like '|' and '&' properly
when they occurred in input file names. This could be exploited to
execute arbitrary commands with user privileges if zgrep is run in an
untrusted directory with specially crafted file names.
Updated packages for Ubuntu 4.10 (Warty Warthog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3.diff.gz
Size/MD5: 59244 9107611292808f982cb7e84a3e31cda3
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3.dsc
Size/MD5: 570 4848f3b7d4bf7dad3bfdce969fdb47a4
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
Size/MD5: 331550 3d6c191dfd2bf307014b421c12dc8469
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_amd64.deb
Size/MD5: 75472 bae609933a71ea74bb41493df98e193c
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_i386.deb
Size/MD5: 70372 b774c65773bcb2cbadec5cc15ef12344
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.3_powerpc.deb
Size/MD5: 76988 5c868f74064211a975e44ec4917887a2
Updated packages for Ubuntu 5.04 (Hoary Hedgehog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4.diff.gz
Size/MD5: 59260 4fe91fb2521be43a1961f7c0ae131014
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4.dsc
Size/MD5: 570 62b96204e004beb977ae78ebb99b9120
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5.orig.tar.gz
Size/MD5: 331550 3d6c191dfd2bf307014b421c12dc8469
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_amd64.deb
Size/MD5: 75576 21efd370efb1c0517ac767b95a37ee0a
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_i386.deb
Size/MD5: 70394 307afbed15ed18fa0b3ddf339d8b7815
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-9ubuntu3.4_powerpc.deb
Size/MD5: 77130 d3a3407db3ad0a86b5556043984604cf
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists