[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070814033255.GH7789@outflux.net>
Date: Mon, 13 Aug 2007 20:32:55 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-497-1] xfce4-terminal vulnerability
===========================================================
Ubuntu Security Notice USN-497-1 August 14, 2007
xfce4-terminal vulnerability
CVE-2007-3770
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
xfce4-terminal 0.2.5+r21674-0ubuntu2.1
Ubuntu 6.10:
xfce4-terminal 0.2.5.4-0ubuntu2.1
Ubuntu 7.04:
xfce4-terminal 0.2.6-0ubuntu3.1
After a standard system upgrade you need to restart your session to
effect the necessary changes.
Details follow:
Lasse Kärkkäinen discovered that the Xfce Terminal did not correctly
escape shell meta-characters during "Open Link" actions. If a remote
attacker tricked a user into opening a specially crafted URI, they could
execute arbitrary commands with the user's privileges.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1.diff.gz
Size/MD5: 7892 902a748e0c0fe963aed9f62d7492247c
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1.dsc
Size/MD5: 982 7ab2af378e2db311101541887b3d899f
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674.orig.tar.gz
Size/MD5: 1719502 202f3d5364127ee2cd3434e7fecad5d2
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_amd64.deb
Size/MD5: 1005574 5b196f5dc586000452233f215248423b
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_i386.deb
Size/MD5: 998716 7476e02c550b2876da957249e126ba91
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_powerpc.deb
Size/MD5: 1002380 eec3f73feb99b58aaef302ffa0cf24b8
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_sparc.deb
Size/MD5: 1000628 822e33229ad34eb7703051a8ea3eab88
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1.diff.gz
Size/MD5: 7764 6759a5320fc94d1c95d2fd68dbbf974d
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1.dsc
Size/MD5: 967 5556541b5e806d77a068018609d97674
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4.orig.tar.gz
Size/MD5: 1914192 858ff414d46c2bdd695da3874ef01090
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_amd64.deb
Size/MD5: 1010080 607dc6c46565dac2cfa378134e5d91e2
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_i386.deb
Size/MD5: 1004880 343ed30f5a69e7caeb081269c7300b31
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_powerpc.deb
Size/MD5: 1006248 2c3e3ff2ceb6711f055b4e1af3c28607
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_sparc.deb
Size/MD5: 1004086 b7744640ce68f8f8d8763dee3414ffb8
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1.diff.gz
Size/MD5: 8617 2ed6e7705918937831599b2c3d366777
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1.dsc
Size/MD5: 1043 435a5294f568d44abbd907bec892e50e
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6.orig.tar.gz
Size/MD5: 1989139 c93cc68cc7656dfcb57118a999b79242
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1_amd64.deb
Size/MD5: 1014248 8af1dd3b37a96344c3a892de94745867
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1_i386.deb
Size/MD5: 1008944 a3e14fefeecbc2b3128652b809c5a27a
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1_powerpc.deb
Size/MD5: 1019758 fd1f70e5262180924f1f741f8abf79b7
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1_sparc.deb
Size/MD5: 1012044 3539fef005cc32fa15e331870b3313bb
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists