[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070124013000.GJ17546@outflux.net>
Date: Tue, 23 Jan 2007 17:30:00 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-412-1] GeoIP vulnerability
===========================================================
Ubuntu Security Notice USN-412-1 January 23, 2007
geoip vulnerability
CVE-2007-0159
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.10:
geoip-bin 1.3.10-1ubuntu0.1
Ubuntu 6.06 LTS:
geoip-bin 1.3.14-2ubuntu0.1
Ubuntu 6.10:
geoip-bin 1.3.17-1ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Dean Gaudet discovered that the GeoIP update tool did not validate the
filename responses from the update server. A malicious server, or
man-in-the-middle system posing as a server, could write to arbitrary
files with user privileges.
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.10-1ubuntu0.1.diff.gz
Size/MD5: 19361 1577a4756cbfcbc08fee1d6ab88df63c
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.10-1ubuntu0.1.dsc
Size/MD5: 619 718ec1b30033bf8c552d0dec546cae84
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.10.orig.tar.gz
Size/MD5: 623578 617adbadc30525ed1b76bd85d2df0848
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_amd64.deb
Size/MD5: 21740 d82e390d020ae7f038972d1e93c7770b
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_amd64.deb
Size/MD5: 46110 39942b4693519b7e8163726f06938fa4
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_amd64.deb
Size/MD5: 442618 a5347051848d76f56f60cac3160d4133
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_i386.deb
Size/MD5: 20480 5b54a91e89477e3c0b1c360235ce35ec
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_i386.deb
Size/MD5: 44040 49d5b66ff34b12e0c927e64467878cbb
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_i386.deb
Size/MD5: 439838 fcc414ff57cd78588d02f6a7c24b666f
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_powerpc.deb
Size/MD5: 24108 3a17f77d1d50e6d8cb8ab04d094fcea9
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_powerpc.deb
Size/MD5: 44786 8db0863a597193c3b8e0455fe38c1cd6
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_powerpc.deb
Size/MD5: 444540 9769bd03d33543296cbd721bd3fd758b
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_sparc.deb
Size/MD5: 20914 aa9e3b039820f95c96555710223b1088
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_sparc.deb
Size/MD5: 44958 5aa013e81f5f505f2fb5acae3138e75b
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_sparc.deb
Size/MD5: 440072 c331d12a7f45e1f2467b8dccd13e70dc
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.14-2ubuntu0.1.diff.gz
Size/MD5: 37644 fffce27f110b11f57ac1180483672245
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.14-2ubuntu0.1.dsc
Size/MD5: 621 b27f07aad2bc0bc6249d345cf57a1b97
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.14.orig.tar.gz
Size/MD5: 676699 b0bb68858586e44b30539751c1c2eb72
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_amd64.deb
Size/MD5: 17250 25a504fbc7a804c6b2c9e9bb031d11fe
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_amd64.deb
Size/MD5: 48244 6540d56fa4091c3f5f0e097315e60068
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_amd64.deb
Size/MD5: 457716 60c072459d9c964acd028521e28a749d
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_i386.deb
Size/MD5: 16696 a1d3b8d0a16b5d9fea8531232c41c8ee
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_i386.deb
Size/MD5: 46362 b7312b4899edffba1b05c7845ba7175b
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_i386.deb
Size/MD5: 455014 c1de51f98c8840450505d9955d2136cd
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_powerpc.deb
Size/MD5: 19610 b259e96b0f7b6875771b4c4b513dc331
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_powerpc.deb
Size/MD5: 47086 0789205be3acaf2f679116e413134fc0
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_powerpc.deb
Size/MD5: 458658 39d545b4555018fb6cfcc00c2c30405c
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_sparc.deb
Size/MD5: 16890 b73477c481d785d917dff731a9039371
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_sparc.deb
Size/MD5: 47712 fdea5cabbd70f9af016514688b1a10f9
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_sparc.deb
Size/MD5: 455872 3dae362b3c420556c1b30b7dc3dc5827
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.17-1ubuntu0.1.diff.gz
Size/MD5: 32292 88f5e421958604218e8fd28265f78ddc
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.17-1ubuntu0.1.dsc
Size/MD5: 621 a4ad466ec23c97646dee1ebd3ff0085f
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.17.orig.tar.gz
Size/MD5: 777923 513c0a2e93179790c465206e70ddda74
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_amd64.deb
Size/MD5: 17652 2ee948b5c67f643f375431df37926db0
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_amd64.deb
Size/MD5: 48162 ecc9d206bf9e0db424afeb84df18ced7
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_amd64.deb
Size/MD5: 478240 6130b7c288bb9bf2a04d3a8f7d694b9e
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_i386.deb
Size/MD5: 17106 a95144d6b85f7e494f772d35e44ffee3
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_i386.deb
Size/MD5: 47452 fec7b87ac2baef74654373ffb54cc9e0
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_i386.deb
Size/MD5: 476192 af001d792625ff40d7ea51e2bf688c88
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_powerpc.deb
Size/MD5: 20126 5b336326b1754e61765f6b9b53647178
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_powerpc.deb
Size/MD5: 47766 e3a67bbaae13a8d0f04a860c0526d775
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_powerpc.deb
Size/MD5: 479884 e3c1da145ec64ebcb30f31864dfd7a2d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_sparc.deb
Size/MD5: 17308 d0719e919c096d850e8e46cc8f6f6c61
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_sparc.deb
Size/MD5: 47464 14bc103daa37d153c931d2a005ad5d45
http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_sparc.deb
Size/MD5: 475804 db29457bd10e259c16ff020c49513cab
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists