lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20091005213438.GP7496@outflux.net>
Date: Mon, 5 Oct 2009 14:34:38 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-841-1] GLib vulnerability

===========================================================
Ubuntu Security Notice USN-841-1           October 05, 2009
glib2.0 vulnerability
CVE-2009-3289
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  libglib2.0-0                    2.16.6-0ubuntu1.2

Ubuntu 8.10:
  libglib2.0-0                    2.18.2-0ubuntu2.2

Ubuntu 9.04:
  libglib2.0-0                    2.20.1-0ubuntu2.1

After a standard system upgrade you need to restart your session to effect
the necessary changes.

Details follow:

Arand Nash discovered that applications linked to GLib (e.g. Nautilus)
did not correctly copy symlinks.  If a user copied symlinks with GLib,
the symlink target files would become world-writable, allowing local
attackers to gain access to potentially sensitive information.


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.16.6-0ubuntu1.2.diff.gz
      Size/MD5:    36482 5a747f19839228824de8b801306697b1
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.16.6-0ubuntu1.2.dsc
      Size/MD5:     1168 b073d48a3ef03f58d58a647ba6bc5152
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.16.6.orig.tar.gz
      Size/MD5:  6491460 65c594a471406a377bee8171a2ea43d4

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-doc_2.16.6-0ubuntu1.2_all.deb
      Size/MD5:  1131446 3554e3c1d7ff9e967b2a70118ed269d0
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libglib2.0-data_2.16.6-0ubuntu1.2_all.deb
      Size/MD5:      968 8b2ba86fa2ce1c1ce6f87449a29ba398

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-0ubuntu1.2_amd64.deb
      Size/MD5:  1177628 74b9bb38332276d8f27e84a2a989923c
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0_2.16.6-0ubuntu1.2_amd64.deb
      Size/MD5:   824766 5d60a5bbee4bb5f5a503cf17b6b968d8
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-dev_2.16.6-0ubuntu1.2_amd64.deb
      Size/MD5:   985446 30a551102c0dc05911b28d18f09094e2
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libgio-fam_2.16.6-0ubuntu1.2_amd64.deb
      Size/MD5:    48396 5fbd8935fc8cdfbc87ddee9dd5ea906e
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libglib2.0-udeb_2.16.6-0ubuntu1.2_amd64.udeb
      Size/MD5:  1307488 0e797f76924ae31a0a54f596207c1c18

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-0ubuntu1.2_i386.deb
      Size/MD5:  1102278 322adce90ad9052eb05e97acb2bb3aed
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0_2.16.6-0ubuntu1.2_i386.deb
      Size/MD5:   758442 d60d1a00d850acc2bf29301d2e708c94
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-dev_2.16.6-0ubuntu1.2_i386.deb
      Size/MD5:   872458 21872fd8706eccc3260906e9e18b81f6
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libgio-fam_2.16.6-0ubuntu1.2_i386.deb
      Size/MD5:    46706 5e4456b1527efd940e01c7aca7c65072
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libglib2.0-udeb_2.16.6-0ubuntu1.2_i386.udeb
      Size/MD5:  1241052 ca6659a5062d06e9f95a794d25aa0bec

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-0ubuntu1.2_lpia.deb
      Size/MD5:  1126498 a8cf538453e395b610fd43a0e1d3995c
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.16.6-0ubuntu1.2_lpia.deb
      Size/MD5:   749728 b8ab5b52627b33a02dc628518f6e8cc1
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.16.6-0ubuntu1.2_lpia.deb
      Size/MD5:   866292 d24055f7c9b3c22743b23b1db647f8c8
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libgio-fam_2.16.6-0ubuntu1.2_lpia.deb
      Size/MD5:    46612 7b5d6df79a5cc8a2a776b0c67b30a889
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libglib2.0-udeb_2.16.6-0ubuntu1.2_lpia.udeb
      Size/MD5:  1232302 fafbeb120762dfb6b82d401106729d21

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-0ubuntu1.2_powerpc.deb
      Size/MD5:  1166088 050d4dd8978470c1093993d6c90e596a
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.16.6-0ubuntu1.2_powerpc.deb
      Size/MD5:   825162 ecffe44dd39ccfd545503ca4a71fa7e0
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.16.6-0ubuntu1.2_powerpc.deb
      Size/MD5:  1033488 700541c029701259dd63002d839e6b58
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libgio-fam_2.16.6-0ubuntu1.2_powerpc.deb
      Size/MD5:    48212 365fa4ae6a0d78604327e3512fffb461
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libglib2.0-udeb_2.16.6-0ubuntu1.2_powerpc.udeb
      Size/MD5:  1307814 dd8adeb8031b2bf15835c3c6ab294867

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-0ubuntu1.2_sparc.deb
      Size/MD5:  1031494 f32564a7f6e9690edacbf0f780cef5eb
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.16.6-0ubuntu1.2_sparc.deb
      Size/MD5:   781614 be1710dc92c6743fa361e5e3e09b1ef9
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.16.6-0ubuntu1.2_sparc.deb
      Size/MD5:   954028 d0096984a450e243d3000477eb57fc68
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libgio-fam_2.16.6-0ubuntu1.2_sparc.deb
      Size/MD5:    47426 adb02e18065700850fc14681a73ad940
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libglib2.0-udeb_2.16.6-0ubuntu1.2_sparc.udeb
      Size/MD5:  1264164 2721162b1d7cb0a32ab3ba614d1be5c9

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.18.2-0ubuntu2.2.diff.gz
      Size/MD5:    35443 73649aa00b9d205898ae59e370fd9e9d
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.18.2-0ubuntu2.2.dsc
      Size/MD5:     1590 a926c661d9c479a13a4411142bbf3c72
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.18.2.orig.tar.gz
      Size/MD5:  6792476 0f2bf241fc93d95a0bd599a9c2a352ca

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-data_2.18.2-0ubuntu2.2_all.deb
      Size/MD5:      958 99a3c187fb42b5474cbd9084bd0030d0
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-doc_2.18.2-0ubuntu2.2_all.deb
      Size/MD5:  1152092 f2fe37185e9baeb1053d679532b8b065

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0-dbg_2.18.2-0ubuntu2.2_amd64.deb
      Size/MD5:  1248558 0e994c01e40a02dca07eb3e97dbc18bb
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0_2.18.2-0ubuntu2.2_amd64.deb
      Size/MD5:   842792 4b0ac82667ecef56cc860beccdee293e
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-dev_2.18.2-0ubuntu2.2_amd64.deb
      Size/MD5:  1027690 ab9170d2e4e7a59cbacda17f4cd26a83
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libgio-fam_2.18.2-0ubuntu2.2_amd64.deb
      Size/MD5:    44238 f554baa4009cb2f94d3a772b61588a66
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libglib2.0-udeb_2.18.2-0ubuntu2.2_amd64.udeb
      Size/MD5:  1401396 b03b104e47ef33b7dc39dcdeaf19be90

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0-dbg_2.18.2-0ubuntu2.2_i386.deb
      Size/MD5:  1173950 6fca09b423847cd228c54bfb2cae0b8f
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0_2.18.2-0ubuntu2.2_i386.deb
      Size/MD5:   771386 59fc2f39bf44711d3f71e931fac145d9
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-dev_2.18.2-0ubuntu2.2_i386.deb
      Size/MD5:   910734 5b6b4f5f29cfdd0bc10feea8568fdc99
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libgio-fam_2.18.2-0ubuntu2.2_i386.deb
      Size/MD5:    42770 2fc72afdfb182c5d98a6025c9781d50c
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libglib2.0-udeb_2.18.2-0ubuntu2.2_i386.udeb
      Size/MD5:  1330248 b35f040211be097dde97b42cfb670434

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.18.2-0ubuntu2.2_lpia.deb
      Size/MD5:  1195246 1e0c8d42046bb26ca77faf7f33e273c3
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.18.2-0ubuntu2.2_lpia.deb
      Size/MD5:   760718 e2715639702d39739133dc050359afe3
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.18.2-0ubuntu2.2_lpia.deb
      Size/MD5:   901700 0ef039e50122f10423ef12cf0983541c
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libgio-fam_2.18.2-0ubuntu2.2_lpia.deb
      Size/MD5:    42636 b958b2a50e892a45c950ad2b85a935b0
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libglib2.0-udeb_2.18.2-0ubuntu2.2_lpia.udeb
      Size/MD5:  1319542 25ac302084e325749e0b9fc1b4c7f0b3

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.18.2-0ubuntu2.2_powerpc.deb
      Size/MD5:  1237952 1e714a4b235f51b8d36a458878fbe093
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.18.2-0ubuntu2.2_powerpc.deb
      Size/MD5:   845898 458dd666f452eb766156fbf3c6dad720
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.18.2-0ubuntu2.2_powerpc.deb
      Size/MD5:  1079876 8e0767a4ab92de24c1616ed8f4d528d3
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libgio-fam_2.18.2-0ubuntu2.2_powerpc.deb
      Size/MD5:    44050 45fe62276a6a3b92281969762601f78f
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libglib2.0-udeb_2.18.2-0ubuntu2.2_powerpc.udeb
      Size/MD5:  1404280 9cb23943f8aa9e63e80fe489caecca64

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.18.2-0ubuntu2.2_sparc.deb
      Size/MD5:  1077380 058daceb636ddcd10164358265cb24ff
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.18.2-0ubuntu2.2_sparc.deb
      Size/MD5:   791034 83ee279d3e7824d6d39a2adfed996787
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.18.2-0ubuntu2.2_sparc.deb
      Size/MD5:   985278 cef0af3b99bf2da441e416e0b14e8352
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libgio-fam_2.18.2-0ubuntu2.2_sparc.deb
      Size/MD5:    43316 928da79d94b2fe648ae0eb8b88e0b91d
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libglib2.0-udeb_2.18.2-0ubuntu2.2_sparc.udeb
      Size/MD5:  1349944 9cb36ac4a77838ba835e4054ebc8006a

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.20.1-0ubuntu2.1.diff.gz
      Size/MD5:    37116 868528ad6cb52e2d44545af18fc1ce68
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.20.1-0ubuntu2.1.dsc
      Size/MD5:     1787 da3e90ca36741d5707fecf76e8721f5a
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/glib2.0_2.20.1.orig.tar.gz
      Size/MD5:  7130990 855be1b668ceaec3320c702212c95638

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-data_2.20.1-0ubuntu2.1_all.deb
      Size/MD5:      988 a45364a2d8509221d95b1ad8c1b06dd8
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-doc_2.20.1-0ubuntu2.1_all.deb
      Size/MD5:  1173566 392137fd234e3b18599cd83cc23de82e

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0-dbg_2.20.1-0ubuntu2.1_amd64.deb
      Size/MD5:  1267456 ac0577ab5b91c87f538fe4c51e37dc4b
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0_2.20.1-0ubuntu2.1_amd64.deb
      Size/MD5:   848734 d593e59a3c013ee23dc4abf59a24b4f3
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-dev_2.20.1-0ubuntu2.1_amd64.deb
      Size/MD5:  1045830 b1453c6d591e7c9bcf321cb01c9b2c1c
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-udeb_2.20.1-0ubuntu2.1_amd64.udeb
      Size/MD5:  1474384 b2239443a6a9a7ff36a7fdfe2e73c668
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libgio-fam_2.20.1-0ubuntu2.1_amd64.deb
      Size/MD5:    34548 47a0ab55b3eb9f7b52c9527f81e963a9

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0-dbg_2.20.1-0ubuntu2.1_i386.deb
      Size/MD5:  1191820 a0b07904592f136ad4ee93a8948da580
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-0_2.20.1-0ubuntu2.1_i386.deb
      Size/MD5:   777212 4b21124cbefa06dfab88a4d7891db90b
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-dev_2.20.1-0ubuntu2.1_i386.deb
      Size/MD5:   927792 3f55a23af4269bf4f194b48a784b0b25
    http://security.ubuntu.com/ubuntu/pool/main/g/glib2.0/libglib2.0-udeb_2.20.1-0ubuntu2.1_i386.udeb
      Size/MD5:  1403190 e685faa392ba17bf58f764336a28f5f7
    http://security.ubuntu.com/ubuntu/pool/universe/g/glib2.0/libgio-fam_2.20.1-0ubuntu2.1_i386.deb
      Size/MD5:    33190 e3db9d13b73405a007d425a2c1c2df1e

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.20.1-0ubuntu2.1_lpia.deb
      Size/MD5:  1210906 9036b0463ab9702f87b5d4a6ff2ea0bb
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.20.1-0ubuntu2.1_lpia.deb
      Size/MD5:   765332 e24d23f1ed35765d084cb3324b2993a7
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.20.1-0ubuntu2.1_lpia.deb
      Size/MD5:   917694 3d04fe7b5635311d9f5ad51d09995777
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-udeb_2.20.1-0ubuntu2.1_lpia.udeb
      Size/MD5:  1391182 f2f71f14300d89635fb2b739a44f6132
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libgio-fam_2.20.1-0ubuntu2.1_lpia.deb
      Size/MD5:    33072 fd27bbd1ef6586b26259164104d1c132

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.20.1-0ubuntu2.1_powerpc.deb
      Size/MD5:  1255082 55cc71be24c6a43187d3997ca8b2fcba
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.20.1-0ubuntu2.1_powerpc.deb
      Size/MD5:   853460 35e80083e1c62411d92855e6d75f864e
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.20.1-0ubuntu2.1_powerpc.deb
      Size/MD5:  1101358 6cd274b60f52dd837e8ce2f2281e8060
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-udeb_2.20.1-0ubuntu2.1_powerpc.udeb
      Size/MD5:  1478758 a1430354b79feadb28d8113681337d63
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libgio-fam_2.20.1-0ubuntu2.1_powerpc.deb
      Size/MD5:    34664 084bfefc579f5bd8edef02cdbd1d667b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0-dbg_2.20.1-0ubuntu2.1_sparc.deb
      Size/MD5:  1090202 9fcf2e1a5176ad1b9b694d59d826e588
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-0_2.20.1-0ubuntu2.1_sparc.deb
      Size/MD5:   797802 367f79748bd2021b0da5935a7f522750
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-dev_2.20.1-0ubuntu2.1_sparc.deb
      Size/MD5:  1003874 80701dd1515c302b4c73f71265cdfe39
    http://ports.ubuntu.com/pool/main/g/glib2.0/libglib2.0-udeb_2.20.1-0ubuntu2.1_sparc.udeb
      Size/MD5:  1423862 8f042b442ac55ddfb3b2935363bcd58a
    http://ports.ubuntu.com/pool/universe/g/glib2.0/libgio-fam_2.20.1-0ubuntu2.1_sparc.deb
      Size/MD5:    33802 1ccc2b53c8127c0fa4b4f91859f9ae7d


Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ