| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20051017131730.GA32587@piware.de>
Date: Mon, 17 Oct 2005 15:17:30 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-208-1] graphviz vulnerability
===========================================================
Ubuntu Security Notice USN-208-1 October 17, 2005
graphviz vulnerability
CAN-2005-2965
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
graphviz
The problem can be corrected by upgrading the affected package to
version 2.2-1ubuntu0.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
Javier Fernández-Sanguino Peña discovered that the "dotty" tool
created and used temporary files in an insecure way. A local attacker
could exploit this with a symlink attack to create or overwrite
arbitrary files with the privileges of the user running dotty.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1.diff.gz
Size/MD5: 207632 5e836a324f059215f8d0daaa9d469107
http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1.dsc
Size/MD5: 788 7c934df6c6a84e937a7060d9743d1c29
http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2.orig.tar.gz
Size/MD5: 4379295 9275d30695a5c22f360acbef7b85acd3
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev_2.2-1ubuntu0.1_amd64.deb
Size/MD5: 147494 2b23526fde607848990ee8b931ea9e0e
http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc_2.2-1ubuntu0.1_amd64.deb
Size/MD5: 1079078 846c09a610e9c7533c34be24ffd35524
http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1_amd64.deb
Size/MD5: 1026506 9f08f1dba4f6e94320600d5c4d043d83
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev_2.2-1ubuntu0.1_i386.deb
Size/MD5: 147500 beb9f9a7863864a0da2c829eb4688793
http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc_2.2-1ubuntu0.1_i386.deb
Size/MD5: 1079084 58c7bd99908e4d61e946dd82b7000f12
http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1_i386.deb
Size/MD5: 947778 7e0fe2c149954e64cc6fdceaa5ae5bec
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev_2.2-1ubuntu0.1_powerpc.deb
Size/MD5: 147508 2c786f652e59e9379e120d7065b5bca5
http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc_2.2-1ubuntu0.1_powerpc.deb
Size/MD5: 1079120 e20fb8adb1c98c784dd5016fda1df8d3
http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1_powerpc.deb
Size/MD5: 1075524 2d189fbb333fe89d00dd48a16dc27fc1
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists